Information management system

ABSTRACT

An information management system is described comprising one or more workstations running applications which allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyser, which monitors transmission data that the application is about to transmit to the network or has just received from the network, and which determines an appropriate action to take regarding that data. The analyser may consult policy data containing a supervisior-defined policy to govern the workstations in order to determine what action to take. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage and record keeping; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission is valid; determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made; and controlling the transmission of messages, such as e-mails according to a policy.

BACKGROUND OF THE INVENTION

[0001] This invention relates to the provision of extended managementfunctionality for Internet applications, particularly in the areas ofinformation security, transaction auditing and reporting, centralizedpolicy, and application connectivity.

[0002] Electronic commerce (“eCommerce”), particularly betweenbusinesses (B2B), but also between business and consumers (“B2C), is afast growing market where buyers and sellers communicate using theInternet, a worldwide network of linked computer systems, instead of bytraditional means such as mail, telephone and personal meetings. Sellersadvertise products and services using digital brochures and catalogues,which can be viewed or downloaded via an Internet connection, throughpages on the World Wide Web, or via electronic marketplaces typicallydealing in the goods and services of a particular market sector. Buyerscan find suppliers, select goods, obtain quotations, place and trackorders, and even make payments entirely electronically and at any timeeCommerce brings the promise of increased flexibility, choice andefficiency, with dramatically reduced procurement costs.

[0003] There are two universally accepted means of interfacing users tothe Internet. The first of these is the ‘Web Browser’ which allows usersto view pages on the World Wide Web by accessing individual web sites,the addresses of which are typically widely published either usingtraditional means, or are referenced in another web site. The mostwidely adopted web browser is Microsoft Corporation's “InternetExplorer”.

[0004] The second means of interfacing is using an Electronic Mailprogram, with which the user composes a message, known as an e-mail,which is then electronically routed to the address of the intendedrecipient over the Internet. Well known Electronic Mail programs includeIBM Corporation's “Lotus Notes” and Microsoft Corporation's “Outlook”.

[0005] In a typical eCommerce scenario, a buyer might identify aparticular product, together with pricing and delivery information, onthe sellers web site. He may then place an order, either by filling inan electronic order form on the web site, or by sending an e-maildirectly to the seller. The order would typically include a commitmentto payment, perhaps in the form of Credit Card details, or by someelectronic payment means. The seller would then typically send a returne-mail to confirm acceptance of the order.

[0006] Web Browsers operate in accordance with recognized standards, inparticular Hyper Text Transfer Protocol (“HTTP”), described fully inInternet standards document RFC2616. Electronic Mail programs operate inaccordance with recognized standards, in particular Simple Mail TransferProtocol (“SMTP”); described fully in Internet standards documentRFC0821 and Multipurpose Internet Mail Extensions (“MIME”) describedfully in Internet standards documents RFC2045-2049.

[0007] While eCommerce provides enormous benefits, its adoption raisesmany new issues, which must be addressed in order to ensure itscontinued adoption, particularly if it is to ultimately replacetraditional methods. One of the central issues is security.

[0008] The Internet is an open communications network, which is bydefinition insecure since anyone can use, it. Means to secure sensitiveinformation to be exchanged over the Internet (for example in aneCommerce-transaction) have been provided by the adoption of securetransmission protocols and messaging. Secure point to point transmissionprotocols, used for example between a web Server and a web Browser,include the ‘Secure Socket Layer’ (“SSL”), defined by NetscapeCommunications Corporation, and its successor ‘Transport Layer Security’(“TLS”) defined in Internet standards document RFC2246. Secure e-mailmessage standards include ‘Secure Multipurpose Internet Mail Extensions’(“S/MIME”) described fully in Internet standards document RFC2623 and“Pretty Good Privacy” a public domain secure messaging system developedby Philip Zimmerman.

[0009] In order to control access to information on servers connected tothe Internet, a system of usernames and passwords has been widelyadopted. For example, access to discounted price lists on a particularweb server may be restricted to trade users who have previously beengiven a username and password allowing them access. Similarly, on-lineinformation services typically make extensive use of usernames andpasswords to restrict access to those who have paid for the service. Byproviding each user with a unique username and a changeable password,the service can ensure that only paid subscribers can access the system,and allow users to prevent access by others to their personal datastored by the service.

[0010] In eCommerce applications, a major problem is the issue ofidentity and trust. When a supplier receives an order via the Internetit is perfectly possible, even likely, that he has no prior knowledge ofthe customer. The supplier must establish that the customer is a) who hesays he is, in other words that he is not masquerading as someone else,and that b) he is to be trusted and will ultimately pay for the goods orservice to be supplied. These issues have been addressed in the B2Cmarket principally by the use of credit cards. The customer provides hiscredit card number and address with the order, which the supplier thenverifies with the credit card company, and obtains authorization for thecharge. The entire process is typically carried out on-line withouthuman intervention. This method is largely effective where a supplierships goods to the cardholder address, since a potential thief would notonly need to steal the cardholders details, but would also need tointercept delivery of the goods. It is much less effective in the caseof services where no physical delivery is involved.

[0011] Clearly, the use of credit cards in eCommerce, though widespread,is restricted to small-scale transactions potentially involving amounts,say, up to $10,000. For those transactions above such amounts (which inaggregate monetary terms far exceed those below them), a mutuallytrusted third party must be used to establish both identity and trust.

[0012] Central to establishing identity is the use of DigitalCertificates. The customer can be issued with a Digital Certificate by atrusted third party, which is then used to electronically ‘sign’communications. On receipt of a signed message, the recipient (in thiscase the supplier) can positively establish a) the identity of thesender, b) that the message has not been altered, and c) that the sendercannot subsequently deny he sent the message. Recognized standards forDigital Certificates are described in ITU document X.509, and their usein Internet communications in Internet standards documents RFC2312,RFC2459, RFC2510, RFC2511, RFC2527, RFC2560, RFC2585 and RFC2632.

[0013] Chargeable, Third party services, such as that provided byValicert Inc., can be used to verify that a Digital Certificate has notbeen revoked, for example after the certificate has been compromised insome way.

[0014] Once authenticity of messages is established, the supplier canuse another third party to establish trust, or the same third party canbe used to establish both authenticity and trust. For example“Identrus”, a consortium of the world's major banks, provide a systemsuch that when a supplier receives a message signed with an Identrusissued Digital Certificate, he can independently verify that thecustomer is a valid account holder in good standing with a recognizedbank.

[0015] Ultimately the system is to be extended such that the bank willadditionally warrant the transaction, thereby guaranteeing payment tothe supplier. It will be appreciated that the terms ‘customer’ and‘supplier’ can apply to any two parties engaged in Internetcommunication.

[0016] It can be seen that appropriate combinations of the systemsdescribed provide a secure foundation for use of the Internet and theservices and functions available through it. However, we haveappreciated that there are a number of problems with conductingeCommerce using only these systems. These problems are discussed below.

[0017] In the secure transmission protocols and messaging referred toabove, data is usually encrypted before transmission and decrypted bythe intended recipient prior to viewing. Thus, should the data beintercepted during transmission, it will be safe from viewing byunauthorised third parties unless they know or can ascertain the secretencryption key of the encryption algorithm.

[0018] The encryption and decryption of data at each end of a securelink or message requires significant processing power. Additionally bothtransmitting and receiving parties must be in possession of the sameencryption key of the encryption algorithm, at the same cryptographicstrength, in order for the system to operate successfully. This oftenpresents a problem, for example where regulations for the import orexport of data into or out of a computer system prohibit the use ofhigher strength algorithms, forcing the link or message to be encryptedat a lower cryptographic strength, or preventing secure communicationsat all. Consequently, secure links and messaging are typically used onlywhen necessary.

[0019] In the case of communications over the World Wide Web, therequirement to secure transmissions is determined and initiated by theweb Server. If, for example, the server is about to transmit an orderform for completion by the user it may initiate a secure link such thatthe order information will be encrypted when transmitted back to theserver. Similarly, once the order is complete the server may terminatethe secure link and return to normal unencrypted communication.

[0020] Typically, the only indication the user has that a link has beensecured is an icon (usually depicting a padlock), which appears in thebrowser window. Once the icon has appeared, the user can then typicallyinterrogate the browser to determine the strength of the encryptionalgorithm being used, and can decide whether or not to enter, andsubsequently transmit sensitive information, such as his credit card andaddress details.

[0021] In practice however, users frequently do not check that the linkis secure, far less that it is of suitable cryptographic strength toprotect the information being transmitted. In order to address thisproblem, e-mail applications such as Microsoft Corporation's “Outlook”provide the ability to encrypt all e-mails by default.

[0022] The wide adoption of usernames and passwords has created amanagement problem for many Internet users due to the sheer number thatneed to be remembered, particularly when good security practice requirespasswords to be frequently changed. Similarly, users will often need touse a variety of different usernames since someone else may already havetaken their ‘favourite’ at a given site. Facilities to remember, and toautomatically complete username and password fields on subsequentoccasions, have been provided in web Browsers such as MicrosoftCorporation's “Internet Explorer”, and by add-on ‘helper’ utilities suchas Gator.com's “Gator”. These facilities typically maintain a file ofusernames, passwords and the web page to which each applies. These filesare encrypted to ensure that only the appropriate user can access them.If such username and password files are lost or become unavailable, suchas when the authorised user has forgotten the encryption key or can nolonger be contacted to provide it, or when the file is accidentally ormaliciously lost, destroyed, or corrupted then access to Internetaccounts and services may be lost, and each site must be approachedindividually to replace or recover the necessary username and/orpassword. This can be a very expensive problem for corporations in termsof lost access and administrative time. Additionally, such rememberedusernames and passwords are only available for use on he machine onwhich they were originally used. If the user moves to another machine,or uses multiple machines then the stored usernames and passwords areunavailable to him from those other machines.

[0023] All businesses, and many individual users, have a legalobligation to maintain accurate records of the transactions theyundertake, but for eCommerce transactions this can prove difficult.Businesses must keep records for auditing purposes, for example to provethe terms upon which goods were ordered in the event of a dispute. Suchrecords are considerably more difficult to maintain in an eCommerceenvironment, requiring the user to retain, for example, copies of orderssent by e-mail, or to print out the web page receipt from a web sitepurchase. For the user, this is labour intensive and there is noguarantee that any such created records are complete or reliable.

[0024] One automated solution of keeping records of eCommercetransactions is provided by Max Manager Corporation's AMax Manager@application. Max Manager captures receipt pages at known web sites,extracts transaction information from those receipt pages, and thenstores locally both the receipt page and the extracted transactioninformation on the machine on which the application is running. However,in order to operate, Max Manager must be supplied with the exact addressand layout of the receipt page. Max Manager determines that an eCommercetransaction has taken place either by detecting the address of thereceipt page, or by comparing the current page being viewed by a browserwith the layout of the receipt page that it has been supplied with. Onceit has identified a receipt page, the relevant transactions details areextracted from the receipt page by using the known layout of the page asa template for matching purposes. A significant drawback with MaxManager is that it may only be used to extract data from those pages forwhich it has been supplied with details. Moreover, if the layout of thereceipt page is changed then Max Manager cannot meaningfully extract anydata from the page until it is supplied with a new template for thechanged layout. Since web sites change frequently, Max Manager must beconstantly updated to take account of such changes. This is impracticalon a large scale and inevitably leads to transactions being missed, orworse reported incorrectly.

[0025] Problems also stem from the fact that computer terminals aredistributed, often resulting in terminals and users being located atdifferent locations. In multi-user environments, user machines may bephysically connected to each other, for example using a Local AreaNetwork (“LAN”), which provides a gateway for connection to theInternet. They may also be connected to local servers such as MicrosoftCorporation's “Exchange Server”, which acts as a central collection anddistribution point for e-mail messages, and Microsoft Corporation's“Proxy Server”, which acts both as a cache to improve performance offrequently visited web Sites, and as a filter to prevent access tocertain web Sites which may have been designated as undesirable.However, in so far as the exchange of information is concerned, exceptin the case of a message sent between two local users, each useroperates entirely in isolation from others at the same location. Thispresents a significant management problem for corporate and otherorganizations, which have no means of centrally controlling employeeactivity and cannot benefit from the significant cost savings that mightbe made from the sharing of information. For example, two users in anorganization may independently receive e-mail messages digitally signedby the same sender. Both recipients must separately validate the DigitalCertificate incurring two validation charges, at least one of which wasunnecessary.

[0026] The present, invention provides additional functionality to thesystems mentioned above to alleviate their inherent problems and toprovide a single integrated system for information exchange.

SUMMARY OF THE INVENTION

[0027] The invention is set forth in the independent claims to whichreference should now be made. Advantageous features of the invention areset out in the appendant claims.

[0028] The information management system provides many advantages in theeCommerce environment to on-line trading companies, who may benefit bybeing able to regulate the transactions made by their staff according totheir instructions encoded in the policy data, automatically maintainrecords of passwords and business conducted on-line, avoid paying forunnecessary checks on the validity of digital certificates, and ensurethat the transmission of data by their staff is always carried outsecurely.

BRIEF DESCRIPTION OF THE DRAWINGS

[0029] The preferred embodiment of the invention will now be describedin more detail, by way of example, and with reference to the drawings inwhich:

[0030]FIG. 1 is a schematic illustration of the present arrangement ofsystems and resources making up the Internet according to the prior art;

[0031]FIG. 2 is schematic illustration of the preferred embodiment ofthe invention implemented in a corporate environment;

[0032]FIG. 3 is a schematic illustration of the operation of a webbrowser in accordance with the preferred embodiment of the invention;

[0033]FIG. 4 is an illustration of a typical input window generated by aweb browser;

[0034]FIG. 5 is a schematic illustration of the operation of an e-mailclient in accordance with the preferred embodiment of the invention;

[0035]FIG. 6 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, forcapturing username and password values transmitted by a user to a remoteweb site;

[0036]FIG. 7 is an illustration of example policy data specifyingcontrol conditions for recording data;

[0037]FIG. 8 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, forrecognizing credit card numbers contained in data transmitted to or froma web server or e-mail client;

[0038]FIG. 9 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, forestablishing the validity of a digital certificate received by a user;

[0039]FIG. 10 is an illustration of example policy data for determiningwhether or not a digital certificate should be verified;

[0040]FIG. 11 is a flowchart illustrating how the example policy datashown in FIG. 10 is used to determine whether or not to verification isrequired for a digital certificate;

[0041]FIG. 12 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, foridentifying transmissions from a user or to a user that comprise part ofan eCommerce transaction;

[0042]FIG. 13 is an illustration of example policy data intended to beused with the process illustrated in FIG. 12 to identify a transaction;

[0043]FIG. 14 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, forrecording transmissions identified as comprising part of a singletransaction thereby forming a record of the transaction;

[0044]FIG. 15 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, forapproving or rejecting identified transactions on the basis of apredetermined policy setting; and

[0045]FIG. 16 is an illustration of example policy data for determiningwhether an identified transaction requires approval, and for identifyingan appropriate approver;

[0046]FIG. 17 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, fordetermining an appropriate level of encryption for a transmission andallowing that transmission to be transmitted only if that level isprovided;

[0047]FIG. 18 is an illustration of example policy data specifying therequired encryption strength for various data types;

[0048]FIG. 19 is an illustration of example policy data for controllingthe re-direction of out-bound messages;

[0049]FIG. 20 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, forre-directing out-bound messages to a third party for review beforetransmission, utilizing the policy data shown in FIG. 19;

[0050]FIG. 21 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, forcontrolling the up-load of information to a site external to thecompany, utilizing the policy data shown in FIG. 19;

[0051]FIG. 22 is an illustration of example policy data for controllingthe forwarding of messages to recipients inside or outside the company;

[0052]FIG. 23 is a flowchart illustrating the operation of a plug-inmodule, according to a preferred embodiment of the invention, using thepolicy data shown in FIG. 22;

[0053]FIG. 24 is an illustration of example policy data for controllingwhether or not an out-bound message is digitally signed; and

[0054]FIG. 25 is a flowchart illustrating the operation of a plug-inmodule, according to the preferred embodiment of the invention,utilizing the Policy data shown in FIG. 24.

DESCRIPTION OF THE PREFERRED EMBODIMENT

[0055] The preferred system provides users of the Internet with anautomatic way of managing the flow of information on a computer system.It provides facilities to manage the security level at whichtransmissions occur, facilities to record on-line transactions and torefer transactions that are about to be made to third parties forapproval, and means to stop transactions from occurring if approval isrefused; it also provides facilities to extract and record pertinentdata from any transmissions that are received or are about to betransmitted, and to intelligently manage the transmission of e-mails.

[0056] The preferred system provides solutions for many of the problemsencountered by eCommerce companies trading over the Internet;consequently the following exemplary discussion will be directed mostlyto the implementation and use of the system by a company of reasonablesize conducting at least some of its business over the Internet. It willbe appreciated that anyone however, including companies of any size ordescription and private individuals, who use the Internet may benefitfrom the functionality provided by the preferred system.

[0057] The functionality of the preferred system is implemented throughmodules of code which are ‘plugged-in’ to the web browser or e-mailclient. These ‘plug-in’ modules may be used to control and alter thebehaviour of the web browser or e-mail client in operation.

[0058] Many existing web browsers and e-mail clients may already bereadily integrated with such plug-in modules. In the case of Microsoft'sInternet Explorer, the plug-in is known as a ‘Browser Helper’, and ismore fully described in the document “Browser Helper Objects: TheBrowser the Way You Want It” by Dino Esposito, published by MicrosoftCorporation in January 1999. In the case of Microsoft's Outlook andExchange e-mail Clients, the plug-in is known as an ‘Extension’ and ismore fully described in the document “Microsoft Outlook and ExchangeClient Extensions” by Sharon Lloyd, published by Microsoft Corporationin March 1998. The use of the ‘Browser Helper Object’ and ‘Extension’plug-ins made in the preferred system will be described in more detaillater.

[0059] The use of browser or e-mail client plug-in modules to implementthe functionality of the preferred system has the additional advantagethat, since encryption of message content is usually carried out by thebrowser or e-mail client itself, examination of transmission content, toextract password information or to determine the desired level ofencryption for example, may take place before the content has beenencrypted ready for transmission, or indeed after it has been receivedand unencrypted.

[0060]FIG. 1 shows the relationship between service providers, typicallycompanies selling goods and services over the Internet 10, and userswishing to purchase such goods or services. Users equipped with webbrowsers 22, 24 and 26, can connect via the Internet and retrieve webpage information from web servers 14 and 18. Alternately users withe-mail applications 20, 30 and 32, can send and receive e-mail messageswith abc.com and xyz.com via e-mail servers 12 and 16.

[0061] In a corporate set up, such as that which is illustrated in thebottom right hand corner of FIG. 1, web browsers 24 and 26 of acorporate user are connected to the Internet via proxy server 28. Theproxy server 28 is used to cache web pages and control access to websites. Similarly, the corporation has e-mail clients 30 and 32,connected to the Internet via e-mail server 34 which acts as a centralcollection point for e-mails coming into the corporation and whichcontrols distribution of the e-mails to individual users. It will beappreciated that while FIG. 1 describes abc.com and xyz.com as sellers,a corporation can be both a buyer and a seller, and as buyers abc.comand xyz.com would be described as corporate users for the purpose ofthis description.

[0062] In the case of e-mails sent and received by personal e-mailapplication 20, it should be noted that the mail will typically becollected and distributed by a remote e-mail server provided by thesupplier of the Internet connection service to which the personal usersubscribes.

[0063] While many of the features and functions of this system provideconsiderable benefit to an individual user, the system provides themaximum advantage when operating in a multi-user environment wheretransaction information is gathered from many users. FIG. 2 shows aschematic diagram of the preferred configuration of the system in amulti-user environment. The preferred system comprises a CentralManagement server 40 connected to a database 42 and operator consoles44. The Central Management Server 40 is also connected to Back OfficeApplication Plug-ins comprising Application Interfaces 50, 52 and openApplication Program Interface 54, and to Gateway components 60, 62 and64. Gateway component 62 is shown as connected to User ApplicationPlug-ins, located on one or more user s machines, comprising InternetExplorer Plug-in 70, Netscape Navigator Plug-in 72, Microsoft OutlookPlug-in 74, and Lotus Notes Plug-in 76. These plug-ins are used providethe functionality of the preferred system in the hosting program inwhich they are integrated. Four possible hosting programs are shown,Internet Explorer, Netscape Navigator, Microsoft Outlook and LotusNotes, but any other program with the capability to connect to theInternet may also be used, providing its behaviour can be modified toimplement the functionality of the preferred system.

[0064] Connection to the Internet 10 is made via the Userapplication-plug-ins and their respective hosting programs.

[0065] The gateway components 70, 72 and 74 are optional but arepreferred as they enable the entire system to scale, with each gatewaystoring and forwarding information, thereby allowing any number of usersto be connected.

[0066] Information from the multiple application Plug-Ins 70, 72, 74 and76 for the different applications on multiple user machines is gatheredby the central management server 40 and stored in an associated database42.

[0067] The Back Office Application Plug-Ins 50, 52 and 54 allow thesystem to interface with third party management applications such asorder processing and accountancy systems. This allows transactioninformation to be automatically entered and processed by such systems.

[0068] Operator Consoles 44 are provided for administrative purposes,and in particular for the approval of transactions. While logicallydepicted as directly attached to the central management server in FIG.2, such consoles could be run on any networked machine. Where an e-mailor web browser plug-in determines that a particular transaction requiresapproval, a request is sent to the Central Management Server and queuedpending approval by an authorized operator.

[0069] The operation of the system is controlled by policy data, whichstores the corporation's regulations regarding security, authorisation,and the actions that user's are permitted to perform, as well asoperating information. Preferably, the policy data is stored in a policyfile on the central Management Server for access by any of the OperatorConsoles 44, Back Office Application Plug-ins or User ApplicationPlug-ins. The system administrator or network supervisor may define oneor more policies or settings of the policy file and may assignindividual users or groups of users to different policies, thuscontrolling a user's ability or even a workstation's ability to interactwith the Internet without the need to set parameters and controlsdirectly at each user's machine. A user in the accounts department of acompany for example may be assigned to an ‘accounts policy’; anysubsequent change to that policy will then automatically result in achange in the capabilities of all users assigned to that policy.

[0070] It is preferred that the capability to edit or set the policydata is restricted to the network supervisor or other authorised personor persons. This may be achieved by designating one or more supervisorworkstations in the network enabled with access to edit the policy datasuch as Operator Consoles 44.

[0071] Preferably, the policy is tree-like in structure, allowingsettings to be forced down to individual policy nodes of the tree, andglobal changes to be rapidly made, for example if the CEO wishes tocause all purchases to require his approval if company cash flow shouldbecome a problem. Such a policy based system greatly reduces the latencyinherent in both traditional purchasing systems and in current eCommercepurchasing environments.

[0072] Each user of the network will have his or her own representationof policy data. Preferably, only the branches and leaves of each user'spolicy that differ from a master network policy are stored as thisallows space in memory to be saved. Although the policy data ispreferably stored in file form on the Central Management Server, it isnot intended that storage of the policy data be restricted to file formonly. Any other representation or encoding of policy settings may beemployed within the preferred system.

[0073] The implementation of the system in a web browser or in an e-mailclient will now be described in more detail.

Use of the Preferred System in a Web Browser

[0074]FIG. 3 shows the simplified operation of a web browser. The webbrowser is launched at step S100 in response to a start request fromeither the user or automatically from the start-up file of the user'scomputer. The start-up file contains commands to automatically runspecified programs when the computer is booted-up. After the web browserhas been started it typically requests a ‘home page’, the default webpage for viewing, in accordance with a pre-determined setting. This isshown at step S102.

[0075] The request is sent to the appropriate web server 90, the exactInternet address of which usually being determined by Domain NameServices; the web server 90 then replies with the appropriate datadefining the web page. This process is represented respectively as stepsS104 and S106 which result in step S108.

[0076] The data defining the web page consists of HTML script, and otherpossible data types such as XML or ActiveX, and Javascript which encodesexecutable programs. The Browser interprets this data, displaying and/orexecuting it as appropriate at step S110.

[0077] The browser then typically waits for user input at step S112.Such input may include filling displayed fields, clicking on ahyper-link, or entering the URL address of a new web page. Ultimately,such actions lead to a further request being sent to the web server 90at step S114 and step S116. The request may simply be another web pageaddress, or it may contain additional data such as that typed in todisplayed fields by the user.

[0078]FIG. 4 shows a sample web page display, in which a GUI ispresented to the user in order to receive the users name and e-mailaddress. It will be seen from reference to FIG. 4 that the user hasentered his name as ‘Fred Smith’ into the name request field provided,and his e-mail address as ‘fsmith@xyz.com’ into the e-mail addressfield.

[0079] When the user clicks the ‘Submit’ button provided on the requestwindow the details the user entered are included in the command sent tothe web server 90. Such a command might be:

[0080]http://www.sample.com/sample2.htm?UserID=Fred+Smith&email=fsmith@xyz.com&submit=submit

[0081] It can be seen from the above that the user's name isincorporated into the command as the value of a variable called ‘UserID’and his e-mail address is incorporated as the value of a variable called‘email’.

[0082] The command is assembled in step S114, and transmitted to the webserver 90 in step S116 where the user name and e-mail addressinformation may be used, for example, to send product information to theuser via e-mail, or to gain access to other web pages.

[0083] The plug-in module provided by the preferred embodiment of theinvention in the form of a Browser Helper Object (BHO) providesadditional functionality to augment that of the standard web browser.The BHO is implemented to respond to a number of significant events thatoccur as the web browser is operated and directed by the user tointeract with various web sites and pages.

[0084] The BHO is implemented to monitor navigation requests and datasubmitted to the webserver from the browser and identify data that isunique to the user. It may do this simply by searching the outbound datastream for the presence of predetermined words or phrases. In the abovecase shown in FIG. 4, the two variable definitions ‘UserID’ and ‘email’may be searched for, and the data that follows them extracted andstored. Alternatively, the BHO may search for the ‘?’ symbol, whichindicates the end of the URL address being connected to and indicatesthat what follows is data. The BHO may also monitor the inbound datastream received from the web site being connected to.

[0085] Also, the BHO may be implemented to monitor the operation of theweb browser itself. As the web browser operates it generates events tonotify co-dependent software modules or objects that somethingsignificant has just occurred or that an action has just been completed.The name of the event is usually descriptive in its own right of whathas just occurred; additional data that describes the event in moredetail is normally available. The BHO is implemented to trap theseevents and to take action in dependence on them.

[0086] One such event that the BHO is implemented to respond to iscalled ‘BeforeNavigate2’ which the web browser fires when the userrequests the browser navigates to a new page. The event is issued andmay be recognised by the BHO before the requested page is downloaded,allowing the BHO to take any pertinent action before the user views thepage. One such action might be to record the page and any data submittedin response to that page in a database. Another such action might be toidentify the URL of the requested page from the event and prevent thepage being downloaded.

[0087] Another event that the BHO traps is the ‘DocumentComplete’ event,which is fired by the web browser when anew page has been fullydownloaded from the web site into memory. The page is encoded in theform of a Document Object, conforming to Microsoft's Document ObjectModel (DOM). The DOM provides comprehensive access to the datacomprising the page, allowing the BHO to extract data items which are ofinterest to it. For example, the BHO may request data from the DOM todetermine whether the page forms part of an eCommerce transaction. Itmay do this by searching objects in the DOM for terms such as ‘Receipt’or Account Number’.

[0088] The BHO may also use the DOM to determine the field names orfield types of data being requested on a web page. The data entered bythe user into such fields may then be extracted from the DOM and storedor acted upon. Field names are typically descriptive of what is stored;passwords, for example, are often held in a field called ‘password’ andso may be searched for on a web page. Credit card numbers may besearched for in a similar way. Usually, password fields are of a typesuch that any entered data is displayed as asterisks. This too may bedetermined from analysis of the DOM and used to identify pertinent data.

[0089] User data would not normally be present in a web page downloadedfrom a web site, but would be entered by the user into an HTML form.Usually, the potentially sensitive user data is transmitted to the website via the web server when the user selects a ‘Submit’ button. At thisstage, the BHO can trap the ‘Submit’ event issued by the web browser,and access the DOM to extract the user data, and, if necessary, preventthe data from being transmitted.

[0090] Encryption and decryption on a secure link will take place afterpoint C and before point A in FIG. 3 respectively. Thus, the BHO mayanalyse the data before it is encrypted or after it is decrypted. Thisis advantageous since there is no need for the BHO to perform anyencoding or decoding of data itself. This does not affect the ability todetermine if the link is secure or not, since a secure link can beidentified by the protocol identifier “https” at the beginning of thecurrent URL. It is preferred that examination of the transmission'scontent take place before encryption or after decryption occurs.

Discussion of the Operation of an E-Mail Client

[0091] With reference to FIG. 5 of the drawings, the operation of atypical e-mail client, and the implementation of the preferredembodiment in an e-mail client will now be described.

[0092]FIG. 5 shows the simplified operation of an e-mail client. Receiveand Send operations typically operate independently, and theseoperations are shown separately on opposite sides of FIG. 5, beginningat steps S120 and steps S130 respectively.

[0093] An e-mail client's ‘receive message’ operation is initiated atstep S120. This may be done automatically at predetermined intervals inorder to keep the user informed of any new messages that he hasreceived, or it may be done in response to the user manually selecting areceive messages icon. Starting this operation causes the e-mail clientto poll the e-mail server 95 and download any new messages to the user'smachine. In step S122, an e-mail message is received by the e-mailclient. Typically, when a new message is received, it is added to an‘Inbox’, with the received message headers (senders name, date and titlefor example) arranged in a list. The user then clicks on the appropriateentry in the list to read the full message causing it to be displayed onhis computer screen. The e-mail message is displayed at step S124.

[0094] In the case of an outgoing e-mail, the user selects a composee-mail option as step S130. In response the e-mail client provides aninterface comprising a text editor in which the user can enter the textof the body of the message and other information such as destinationaddress, subject and so on. The user composes the message in step S132and then opts to send it, by selecting an icon or menu option providedby the e-mail client to issue a ‘send command’. The e-mail is sent tothe e-mail server for transmission to the recipient in step S134. If anyencryption is applied by the e-mail client it is applied in step S134before transmission.

[0095] In the preferred embodiment, additional functionality is providedfor the e-mail client via a plug-in module. Preferably, the e-mailclient is one of those provided by Microsoft, such as the MicrosoftExchange client, or the Microsoft Outlook client, and the plug-in moduleis encoded as an Exchange client extension. These are described in thedocument “Microsoft Outlook and Exchange Client Extensions” by SharonLloyd mentioned earlier.

[0096] An Exchange Client Extension is a component object that complieswith the Microsoft Windows Component Object Model (COM) and thatutilizes the Exchange IExchExt interface. This interface provides anumber of additional interfaces for modifying the operation of theExchange e-mail client, such as the IExchExtCommands interface, whichallows existing client behaviour to be replaced or modified and newcommands to be added to the client's menus; and the IExchExtEventsinterface which allows custom behaviour to be implemented to handleclient events such as the arrival of new messages, reading, writing,sending messages and reading and writing attached files. TheIExchExtMessageEvents, IExchExtSessionEvents and theIExchExtAttachmentEvents interfaces are also provided and provideadditional functionality for the more specific tasks that each of theinterfaces names suggest.

[0097] In the preferred embodiment, the Exchange Client Extension thatforms the plug-in module is implemented to respond to client ‘events’that are fired by the client program as it performs operations andcompletes actions. The ‘events’ in question are provided by the COMinterfaces mentioned above. The monitoring of the e-mail client by theplug-in module may therefore be seen to be analogous to the way in whichthe BHO plug-in module monitors the operation of the web browser.

[0098] The e-mail client plug-in module is implemented to respond to the‘OnDelivery’ event for example which is fired when a new message isreceived from the underlying mail delivery system and before it isvisible to the user. The OnDelivery event contains information to accessthe different parts of the e-mail message that have been downloaded andwhich are held in memory. The message header, the message body and anymessage attachments are encoded in memory as properties of the messageobject which may be separately accessed through Mail-Application ProgramInterface (MAPI) calls.

[0099] Via the information supplied as part of the ‘OnDelivery’ event,the plug-in module may access the message header and extract theidentity of the sender for example. Furthermore, the plug-in module mayutilise information obtained from MAPI calls to scan the body of areceived message for keywords or pertinent data. It may search forevidence of an eCommerce transaction, by identifying significant wordssuch as ‘receipt’ or ‘account number’. The message may then be storedfor auditing purposes. In the case of an unapproved sender, or harmfulmessage content, the message may be deleted unseen.

[0100] The analysis of a received e-mail occurs therefore at point A inFIG. 5 prior to being viewed by the user. Preferably the e-mail isexamined before the e-mail is even placed in the Inbox. Where a messageis not automatically decrypted before being placed in the Inbox, forexample where the user is required to enter a decryption key, themessage is examined immediately following decryption, but beforeviewing. Digital Certificates may be included as attachments to thee-mail and can readily be examined prior to viewing, allowing anyappropriate actions, such as validation, to be performed.

[0101] Another significant client event that the plug-in module isimplemented to respond to is the ‘OnwriteComplete’ event which is firedwhen the user has selected the ‘send command’ and requested the e-mailclient to transmit a new e-mail message to the mail delivery system.This event is fired, at point B in FIG. 5, before the transmission andbefore any encryption takes place. The new message which is to betransmitted is similarly stored in memory as an object which may beaccessed by MAPI calls. The plug-in module may use the MAPI calls toscan the content of the outgoing e-mail for sensitive data, such ascredit card number, and consequently cause the message to be recorded oreven blocked.

Plug-In Module Operation

[0102] The preferred implementation of the web browser and e-mail clientplug-in modules has been described above with reference to FIGS. 3 and 5above. Next, the functionality provided by the plug-in modules will bedescribed in detail and with reference to FIGS. 6 to 18.

Identifying and Recording Usernames, Passwords and Other Information

[0103] The preferred system provides means to automatically identify,collect and store data contained in transmissions to and from a user'sworkstation, in particular, the usernames and passwords entered by auser to access web site pages, File Transfer Protocol (‘FTP’) sites andother such sites on, the Internet.

[0104] Systems that presently provide facilities to record passwordscurrently only do so when a user a clicks on the remember passwordoption provided on the GUI. The password is saved into a protected localfile on the user's machine that is only opened when the user isauthenticated on that machine, for example, by entering his username andpassword at boot time. The remember password option causes the system toremember the user's password when he next visits, pre-filling in thepassword field with that password so that the user does not have toenter it each time it is required. The drawback of the password filebeing stored locally is that if the user moves to another machine hedoes not have access to the stored password file and will have tore-enter the password himself.

[0105] The preferred system identifies passwords automatically, withoutthe need for instruction from the user, and stores the identifiedpasswords and usernames in a data repository. Preferably this is centraldatabase 42. This allows the passwords of any user to be recalledregardless of the terminal at which the user logs on, providing theterminal has access to the central database.

[0106] Any identified passwords and usernames are stored in the databasealong with the field names in which they are stored on the original website and the address of the Internet site to which they were transmittedto and at which they are used. Site information can be retrievedstraightforwardly as it is included in the HTTP request submitting thepassword and username information to that site, and in therepresentation of the web page held in memory.

[0107] Preferably, for the sake of security, the information stored inthe database is encrypted, so that only a select number of people, suchas network supervisors, system administrators or company directors haveaccess to it. They may access the database either through a workstationin the network, by entering a username or a password to identifythemselves, or through a supervisor workstation, such as OperateConsoles 44.

[0108] This storage of usernames and passwords along with addressdetails presents a significant advantage to companies that use on-linefacilities. With existing technologies, if a user forgets hisauthenticating password preventing access to the protected file, orleaves the company without having disclosed it, the Internet servicecannot be accessed. A similar situation occurs if the protected file isdamaged, deleted or otherwise lost. Each Internet service must then beapproached in order to replace or recover the lost password, which canbe expensive both in terms of lost access and administrative time. Withthe preferred system, the password information may be recovered from thecentral database, so that access to web sites is not lost.

[0109]FIG. 6 is a flow diagram which schematically illustrates theoperation of a plug-in module implemented to extract user name andpassword information from data to be transmitted to a web server. Instep S150, the plug-in module begins and parses the data about to betransmitted to the web server from the browser. This occurs at point ‘C’in the process illustrated in FIG. 3. Control then passes to step S152where the plug-in module determines whether or not the data which is tobe transmitted contains username or password information.

[0110] The passwords and usernames may be identified in the mannerdescribed above with reference to FIGS. 3, 4 and 5, by identifying fieldnames in submitted command or by using the DOM, for example, to searchfor field names, field types, or the display method used to identify thedata on web pages. They may also be retrieved from the HTML of webpages, the pop-up windows or GUIs (Graphical User Interfaces) presentedby remote servers or providers on the World Wide Web or even by scanningthe content of e-mail messages.

[0111] Identifying passwords and usernames in transmitted commands or inthe DOM of a web page from their field names relies on those field namesdescribing their purpose with obvious labels such as ‘password’ or‘username’. In cases when the field names are not themselves meaningful,the nature of data being transmitted, may be inferred from the fieldtype of the data, that is ‘String’, Integer and so on, or the displaymethod used to enter the data. Fields that are intended to receive apassword can be identified from the representation in by searching for a‘password’ field type in the DOM. Text boxes on a webpage into whichpassword data is to be entered, for example, typically display eachcharacter input as an asterisk; this property may be determined from theDOM and used to infer that data input into the text box is a passwordeven if there are no other indications. Although, the password isdisplayed as a string of asterisks, the representation in memory stillcontains the character information that was entered by the user. Thepassword may then be retrieved simply by extracting the input from thefield.

[0112] Alternatively, passwords and usernames may be identified byreferring to those stored by other programs such as Microsoft's‘Internet Explorer’ when the remember password option is selected by theuser. Such passwords are stored in a local protected file on the user'scomputer. This file is ‘unlocked’ when the user is authenticated on thecomputer, and so may be accessed to obtain password and usernameinformation by the browser plug-in module of the preferred system.

[0113] If the plug-in module does not detect a username or a password inthe data which is to be transmitted, control passes to step S158 atwhich point the module exits and control is passed back to point ‘C’ inFIG. 3. The browser may then transmit the data to the web server. Ifhowever, a username or a password is detected by the plug-in module atstep S152 then control passes to step S154, where the values of theidentified username or password and the URL or other identifier of theweb page to which the data is to be transmitted are extracted. Controlthen passes to step S156 where, these values and the URL or otheridentifier are stored in a predetermined system database 42. Oncestorage has taken place, control then passes to step S158, where themodule exits and control is passed back to point ‘C’ in FIG. 3. Thebrowser may then transmit the data to the web server.

[0114] The preferred embodiment need not be limited only, to the storageof passwords or usernames which have been used as an example because ofthe immediate advantage that their storage provides. Other types ofdata, in particular those relating to eCommerce transactions, such ascredit card information and digital certificate may also be usefullyextracted and stored to provide a database or record. The system forextracting information from transmissions may also be applied to e-mailsystems.

[0115] The information may be extracted in the manner described above,via the DOM or via MAPI calls to the COM representation of e-mailcontent, or may be extracted from the language in which a web page isencoded. Web pages are typically encoded in Hyper-Text Mark-Up Language(HTML), a human readable text based language which may be searched forknown key words or indicators using conventional text matchingtechniques.

[0116] In the preferred embodiment, recording of the data may involverecording just password and username information, recording the URL of aweb page being viewed or of an e-mail account, recording any datasubmitted to the fields of a web page, and recording the HTML of a webpage, so that the web page may be retrieved later and viewed.

[0117] The plug-in modules provided by the preferred system operate inconjunction with policy data, which may be recorded in a file, database,or software code for example. The policy data provides a user of thepreferred system to instruct the operation of each of the plug-inmodules thereby controlling their functionality.

[0118] A sample representation of policy data, illustrated in FIG. 7,shows how a user may control the operation of the plug-in module torecord password and username information along with other types of data.

[0119] The tree-like structure of the policy data is clearly seen inFIG. 7 which shows just one major branch of the policy data entitledARecording@. The Recording branch is separated into two sub-branchescalled ABrowser@ and AEmail@ which contain instructions for theoperation of web browser and e-mail client plug-in modules respectively.

[0120] The browser branch contains three sub-branches calledADataToRecord@, AWhenToStartRecording@ and AWhenTostopRecording@. TheDataToRecord branch specifies the type of data that is to be extractedfrom transmissions to or from the user's workstation and a web server.Four types of data are referred to in the illustration these being theURL of the web page being viewed, the HTML of the webpage being viewed,data that is entered by a user into fields provided on the web page andsubmitted to a web site, and any passwords and usernames that areentered by the user. These are referred to on four distinct sub-branchesof the DataToRecord branch, entitled AURL@, AHTML@, ASubmittedFields@and APasswords@. A Yes/No option on each of those sub-branches specifieswhether or not the indicated data is to be recorded.

[0121] The WhenToStartRecording branch sets out a number of conditionswhich specify the point at which the data specified in the DataToRecordbranch is to be recorded. Five conditions are illustrated in thisexample each one set out on a separate branch and respectively entitledAWhenBrowserIsOpened@, AIfCreditCardNumberSubmitted@;AIfPasswordSubmitted@, AIfKeywordsReceived@ and AIfKeywordsSent@.Whether or not these conditions are to be used in order to determinewhen to start recording is indicated by Yes/No markers on each branch.

[0122] Similarly, the WhenToStopRecording branch lists three conditionsthat may be used to determine the point at which the recording of thedata specified in the DataToRecord branch is to be stopped. Theseconditions are AWhenUserClosesBrowser@, AWhenUserChangesSite@ andAWhenUserChangesPage@. The Yes/No status of each of the conditions andfor each of the type of data to be recorded may be easily set by a userof the preferred system in order to control the operation of the plug-inmodule.

[0123] The e-mail branch of the policy data is divided into aDataToRecord branch and a WhenToRecord branch. Each of these branchesare sub-divided into branches that deal with Sent Mail and ReceivedMail. The type, of data that may be recorded is set out in theDataToRecord branch and for sent mail may be the message text, anyattachments to the message, and in the case of messages signed with adigital signature, a copy of the digital certificate accompanying thesignature. Conditions for recording sent mail and received mail are setout in the WhenToRecord branch and may be based on the identification ofa credit card number, a keyword or a digital certificate in the mailthat is sent or received.

[0124] The tree-like structure described is the preferred form for thepolicy data since it allows the data to be easily organised and referredto. It also allows different users to be assigned to different branchesof the tree in order to receive different policies. Although, the treelike structure is preferred, other arrangements may also be possible.The branches shown in this diagram are only intended to be illustrative.

Identification of Credit Card Numbers

[0125] The preferred system also searches for Credit Card numbers orother account information in the data to be transmitted to the webserver or e-mail client by searching for a string of numeric digits,typically between 14 and 16 long. It then determines if the string ofdigits passes one of the tests universally used by credit card companiesto validate card numbers.

[0126] If a credit card number is found in the transmission, then thepreferred system may take a number of actions depending on the settingsin the policy file, such as refer the transmission to a third party forapproval, renegotiate a higher level of encryption to safe-guard thetransmission if the credit card number belongs to the company, orprevent the transmission from taking place altogether.

[0127] The most common test to identify a credit card number is definedin ANSI standard X4.13, and is commonly known as LUEN or Mod 10.

[0128] The Luhn formula is applied to credit card numbers in order togenerate a check digit, and thus may also be used to validate creditcards, in which case the check digit is figured in as part of theformula. To validate a credit card number using the Luhn formula, thevalue of every second digit after the first, starting from the righthand side of the number and moving leftwards, is multiplied by two; allof the digits, both those that have been multiplied by two and thosethat have not are then added together; any digit values that have becomegreater than or equal to ten as a result of being doubled, are summed asif they were two single digit values, eg: ‘10’ counts as ‘1+0=1’, ‘18’counts as ‘1+8=9’. If the total of the sum is divisible by ten, then thecredit card is a valid credit card number.

[0129]FIG. 8 is a flow diagram which illustrates the operation of aplug-in module which detects credit card numbers, using the Luhn formuladescribed above, in data which is about to be transmitted. If a creditcard number is identified, the plug-in module implements furtherpolicy-based checks, based on the outcome of which, the plug-in modulemay determine to transmit the data containing the credit card number orto prevent transmission.

[0130] The module begins operation at step S160, which follows point ‘C’in the process illustrated in FIG. 3 in the case of browserimplementation, or point B in the process illustrated in FIG. 5 in thecase of an e-mail client implementation. Control passes from step aboutto be transmitted to the web server or e-mail service and extracts fromit a first string of digits that is likely to be a credit card number.

[0131] This is achieved by scanning the data comprising the transmissionfor strings of digits over a particular number of digits long. Creditcard numbers are usually made up of more than 12 digits, and are notusually more than 16 digits long. Thus any strings of digits in thisrange may be identified as possible credit card numbers.

[0132] Following the extraction step S162 control passes to decisionstep S164 where a routine end of file check is made. If the datacontains no candidate credit card number and the end of the file checkis reached before any first candidate number could be found, then atstep S164 control passes to step S178 where the transmission of the datais allowed to proceed without any further control resumes in the webbrowser operation shown in FIG. 3 from point ‘C’ or in the e-mail clientoperation shown in FIG. 5 from point B.

[0133] If a first potential credit card number is found in the data instep S162, then it is extracted and stored in memory. The end of filehas not been reached yet so control passes from step S162 to step S164and then to S166 where a checksum for the stored candidate number iscalculated using the Luhn formula. Control then passes to decision stepS168, where the checksum is queried.

[0134] If the checksum indicates that the candidate number is not avalid credit card number then control passes back to step S162 where thenext potential credit card number is extracted from the data. If asecond credit card number is not found, then the end of the file isreached and control passes to step S178 where the transmission isallowed to proceed, and then to step S180 where the module exits.

[0135] However, if the checksum indicates that the candidate number is avalid credit card number then control passes to decision step S170

[0136] where the settings of the policy data are queried for theappropriate action to take. The action may be determined from suchfactors such as the number itself, the identity of the user transmittingthe number and the address to which it is to be sent. The policy datamight for example specify that credit cards are not to be transmitted,or that a higher encryption strength is required for the transmissionbefore it may proceed.

[0137] This policy checking step allows credit card transactions to becontrolled at a higher level than the user making the transaction. Thusfinancial decisions may be swiftly and easily implemented, and may beenforced automatically without the need for monitoring. An organisationmay, for example, wish to restrict the capability to make credit cardtransactions on the organisation's account to particular authorisedpeople or it may wish to restrict transactions on a particular accountaltogether.

[0138] In step S170, the credit card number, and other details of thetransaction are compared to the settings in the policy file and it isdetermined whether or not transmission may take place. If for anyreason, with reference to the policy checks, it is determined that thecredit card number should not be transmitted, control passes to stepS172 where transmission of the data is halted, and then to step S174where the module exits. At this point the system could notify the userthat the request has been denied by means of a pop-up message box.Control then returns to point A in FIG. 3, in the case of a web browser,or to step S132, ‘compose mail’ in FIG. 5, in the case of an e-mailclient.

[0139] If in step S172, it is determined that the credit card number maybe transmitted, control passes to step S176 where transmission of thedata occurs, and then to step S180 where the module exits. In this casecontrol is resumed from point C in the web browser operation illustratedin FIG. 3, or from point B in the e-mail client operation illustrated inFIG. 5.

[0140] Credit card numbers need not be identified in step S162 solely byscanning the content of the transmission. In web browser implementationsthe credit card number may for example be directly identified byreferring to the field names of any variables that are to be transmittedor also from the representation of the web page in memory. Thediscussion above about the identification of passwords explains this inmore detail.

[0141] The preferred system may also be configured to search outgoingtransmissions for other pertinent financial details, such as accountnumbers. Company account numbers from which funds may be deposited maybe stored in a separate file. Any likely strings of characters or digitsmay then be extracted from the outgoing data in the manner described andcompared with the entries in the accounts file to determine whether ornot it is a valid account number. The transaction may then be allowed toproceed or be refused in the manner described above. Although creditcard numbers have been referred to, it will be appreciated that any typeof card number for making payment such as debit card numbers may also beused.

[0142] Also, although identification of credit card numbers has beenexplained with reference to data that is to be transmitted, it will beappreciated that similar techniques could be used to identify andextract credit card numbers from transmissions that are being received.

Validation and Authentication Support

[0143] On-line transactions typically require some form ofauthentication that the user is who he says he is, and that he is ableto pay for the goods ordered. These requirements are usually met by thepurchaser supplying the trader with his credit card number and thecardholder address which can then be verified by the seller with thecard issuer. Increasingly however, Digital Certificates are attached toelectronic transmissions by the user which, in conjunction with adigital signature, allow the receiver to verify that the transmissionoriginated from the person named as sender. Digital certificates fromcertain issuing authorities, such as Identrus, may also act as awarranty that the holder will honour his commitment to pay a specifiedamount of money. These certificates are useful when trading on-line.

[0144] Digital signatures are a widely used means of establishing anindividual's identity on-line when transmitting information or whenconducting a transaction. They also provide a guarantee to a recipientof any transmitted information or transaction details that those detailsand that information have not been tampered with en-route by anunauthorised third party.

[0145] Digital certificates are issued to individuals, organisations, orcompanies by independent Certificate Authorities, such as Verisign Inc.An organisation may also act as its own Certificate Authority issuingits own digital certificates which may or may not be derived from a‘root’ certificate issued by another Certificate Authority. A digitalcertificate typically contains the holder's name, a serial number, anexpiration date, a copy of the certificate holder's public key and thedigital signature of the certificate issuing authority. A private key isalso issued to the certificate holder who should not disclose it toanyone else.

[0146] Certificates are unique to each holder and may be revoked by anissuer if the holder is no longer viable; alternatively, a holder mayask to have it revoked if his private key has been compromised.

[0147] The public and private keys may both be used in tandem to encryptor decrypt a message. Anyone may use a certificate holder's public keyto encrypt a message so that it may only be read by the certificateholder after decrypting the message with his private key.

[0148] Messages may also be digitally signed using software whichconverts the contents of the message into a mathematical summary, calleda hash. The hash is then encrypted using the sender's private key. Theencrypted hash may then be used as a digital signature for the messagethat is being transmitted. The original message, the digital signatureand the transmitter's digital certificate are all sent to a recipientwho, in order to confirm that the message he has received is completeand unaltered from its original form, may then produce a hash for thereceived message. If, the received hash, having been decrypted with theholder's public key, matches the hash produced by the recipient, thenthe recipient may trust that the message has been sent by the person towhom the certificate was issued, and that the message has not beenaltered en route from its original form. Digital certificates aretherefore of considerable and increasing importance to companiesconducting business on the Internet.

[0149] In cases where an on-line trader makes use of DigitalCertificates to ensure the identity of its customers, it is necessary tocheck with the issuer that the certificate is still valid before anytransaction is authorised. Such checks can be carried out on-line usingan independent verification service such as that provided by Valicert,Inc. A fee is usually charged for such services.

[0150] It may be that individual employees of an organisation eachreceive e-mails from a single client, each signed with his digitalcertificate, on separate occasions. Presently, there is no way for ainformation about certificates received by one employee to be sharedwith another employee unless they share it themselves manually, and as aresult, individual employees might request that the same certificate bevalidated each time that they receive it. This is wasteful however,since once a certificate is revoked by its issuer, it is never againreinstated, so any validation fees spent on an already revokedcertificate are unnecessary. Additionally, the recipient may wish tomake a business judgement as to whether a previously validatedcertificate should be re-checked or not. For example, if a digitallysigned order for $1M worth of goods is received one day, and thecertificate successfully validated, and on the next day another orderfor $50 is received, signed with the same certificate, the organisationmay consider a second validation check to be unnecessary, thereby savingthe validation charge.

[0151] The preferred system provides means to record information aboutthe Digital Certificates that have been received, the status of thecertificate at the last check as well as, where applicable, transactioninformation, such as client, amount, date, goods and so on. Thisinformation is stored in a central database to which all users of thesystem have access. The preferred system also provides means to use thestored information to decide whether or not a validation check isdesirable, and to accept or refuse transmissions depending on the statusof the digital certificate. Thus, users of the system may receive andreview transmissions without the need to establish their authenticitythemselves.

[0152]FIG. 9 illustrates the operation of a plug-in module of thepreferred system implemented to extract digital certificates fromtransmissions received by company employees and record them in adatabase along with their validity status and details of any associatedtransactions such as date, amount, goods and so on. The module firstchecks to determine if the certificate is obviously invalid, and thatthe message has been correctly signed by it. The certificate isobviously invalid, for example, if its expiry date has passed, or if itcontains an invalid ‘thumbprint’. Such a thumbprint may be a checksumfor the certificate itself for example. The message has not beencorrectly signed if the signature cannot be verified from theinformation contained within the certificate. Details of certificatevalidation and message signing are more fully described in the ITU andRFC documents previously referenced. The module then makes a check todetermine whether or not the certificate has already been stored in thedatabase and only records those that have not. Where a copy of thecertificate is already stored, the module checks the database record todetermine whether it has been previously identified as revoked in whichcase the transmission is immediately rejected. Otherwise, the modulethen determines, in accordance with policy defining business rules,whether or not to validate the certificate. Taking in to account theresults of any such validation, it then determines whether thecertificate should be relied upon, and therefore whether or not thetransmission signed by the digital certificate should be rejected oraccepted. The module is initiated at step S190, following receipt ofdata containing a digital certificate. Digital certificates aretypically transmitted as attachments to messages and may be identifiedby examining the first few bytes in the header of the attachment. Thesebytes identify the type of file attached and so will indicate whether anattachment is a digital certificate or not.

[0153] The initialisation step S190 occurs after point A in FIG. 3 ifthe module is implemented in a web browser, and after point A in FIG. 5if the module is implemented in an e-mail client. Followinginitialisation, the module proceeds to step S191 in which the expirydate of the certificate is checked, and the digital signature confirmedas having signed the message. If the certificate has expired, or themessage is incorrectly signed, the module proceeds to step S198 andrejects the transmission. Otherwise the module proceeds to step S192 inwhich the database is searched for a previously received copy of thedigital certificate. Control then passes to decision step S194. If acopy of the certificate has been found in the database then controlpasses to decision step S196 where the module determines whether thecertificate has previously been marked as revoked. This will haveoccurred if a previous validity check revealed that a digitalcertificate has been revoked. If the certificate is not already in thedatabase control passes from step S194 to step S202 where the newcertificate and the date on which it was received are stored in thedatabase, together with additional details such as the address fromwhich it was sent and details of any transaction associated with thetransmission such as monetary value, account number etc. If thecertificate has already been marked as revoked in step S196 then controlpasses directly to step S198 in which the transmission comprising thedigital certificate is automatically rejected. This may involve forexample, transmitting an automatically generated message to theinitiator of the transmission whose certificate has been found invalidto explain the refusal, and preventing the recipient of the digitalcertificate from taking any further steps in connection with the refusedtransmission. The module then exits at step S200.

[0154] If, however, the certificate has not been previously marked asrevoked in step S196, then control passes to step S204 in which thehistory of transmissions signed by the certificate, by othercertificates from the same company, or used to conduct transactions onthe same account are considered with policy data to determine if anon-line validity check of the certificate is required. Control alsopasses to step S204 after a new digital certificate has been added tothe database in step S202.

[0155] The policy data contains instructions which when considered inconjunction with the history of signed transmissions previously receivedand revocation checks previously made indicate whether or not thecertificate used to sign a transmission should be verified on thisoccasion. Example policy data is illustrated in FIG. 10 to whichreference should now be made.

[0156] The policy data is stored on the AcceptanceConfidenceRatingbranch on the DigitalCertificates branch of the policy datarepresentation. The AcceptanceConfidenceRating branch sub-divides intotwo separate branches which deal individually with monetary digitalcertificates, where a certificate has been used to sign a transmissioninvolving a transaction with the recipient for an amount of money, andAidentity@ digital certificates which do not involve a monetarytransaction with the recipient of the transmission. Certain certificatesare issued only for use in conjunction with monetary transactions. Forexample, the ‘warranty certificate’ issued by some on-line bankingorganisations, such as Identrus, as a warranty to the receiver of thesigned transmission. Such warranty certificates testify that the senderof the transmission is a customer of an Identrus member bank, and thatif he or she does not make payment, the bank will accept liability.

[0157] Organisations which issue different kinds or classes of digitalcertificate mark each certificate according to its class. Identifying acertificate as being of a particular class is then a matter of knowinghow different organisations classify their certificates and searchingfor the appropriate indicator in the certificate received.

[0158] Issuers of digital certificates may provide many differentclasses of certificate suited for different purposes. These may beseparately dealt with by the policy data by corresponding sub-branchesof the policy datatree.

[0159] In the example policy the first branch entitledAIdentityCertificates@ deals with transmissions that do not involve amonetary transaction. The branch comprises four separate sub-branches.The first of these, entitled AAlwaysAcceptFrom@ contains a reference toa table, ‘table a’, which lists the names of individuals andorganisations who are considered to be reliable. The names listed inthis table will be those known and implicitly trusted by the company,for whom, it is not considered necessary to determine whether or not adigital certificate has been revoked by its issuer.

[0160] The second branch entitled AAlwaysCheckFrom@ contains a referenceto a separate table, table b, in which the names of organisations andindividuals for whom digital certificates should always be checked arestored. Clearly, the contents of table a and table b will depend uponthe experience of the user of the preferred system and will be left upto that user to enter.

[0161] The third branch entitled

[0162] ACheckIfDaysSinceCertificateReceived

[0163] FromCompany@ specifies a period of time following the receipt ofa valid digital certificate from a company, within which checks of anyfurther digital certificates received from that company are notconsidered necessary. In this case, the period of time is set to be 10days.

[0164] The fourth branch entitled

[0165] ACheckIfDaysSinceLastReceivedThis

[0166] Certificate@ specifies a similar time period in the case of anindividual digital certificate. In the example shown the policy dataspecifies that validation checks on any given digital certificate needonly be made every 30 days Again, the number of days specified on bothof these branches is left to the user of the preferred system to decide.The amount of time that has passed since a valid digital certificate hasbeen received be determined by referring to digital certificates andassociated data stored in the database. By checking digital certificatesperiodically, rather than each time they are received allows money spenton making checks to be saved. The MonetaryCertificates branch alsocontains an AlwaysAcceptFrom and an AlWaysCheckFrom branch which referto tables x and y respectively. Table x lists all those organisationsand individuals for whom no status check of a digital certificate isrequired; table y lists all those for whom a check is always required.The MonetaryCertificate branch also contains a CheckIfAmountExceedsbranch which specifies a threshold transaction amount over which alldigital certificates must be checked and lastly an IfRecentlyCheckedbranch which sets out two conditions for performing checks on a digitalcertificate that has been recently received and validated. TheIfRecentlyChecked branch allows the user to specify that digitalcertificates received for transactions for a small amount, in this case$5000, received within a specified time, in this case 30 days, of aprevious revocation check, need not be validated.

[0167]FIG. 11 illustrates the plug-in module process which interactswith the policy data shown in FIG. 9. This process is a sub-process ofthat shown in FIG. 8 and occurs at step S204 resulting in decision stepS206 in which the plug-in module determines whether or not to perform anon-line check of the status of the Digital Certificate it has received.The sub-process begins in step S220 from which control passes todecision step S222 in which it is determined if the transmission ismonetary from the class of the Digital Certificate used to sign themessage. If the transmission is monetary then control flows to decisionstep S232, which is the first in a chain of decision steps correspondingto the branches in the MonetaryCertificates branch of theAcceptanceConfidenceRating branch of the policy data.

[0168] If in step S222, it is determined that the transmission is notmonetary, control passes to decision step 5224, which is the firstdecision step in a chain of decision steps corresponding to theIdentityCertificates branches of the AcceptanceConfidenceRating branchof the policy data. In each of the decision steps in the chain a simplecheck is made to see whether the conditions specified on each sub-branchof the IdentityCertificates branch of the policy data is satisfied.Depending upon the results of that check control flows either to stepS242 in which confidence in the Digital Certificate is established andno on-line check of the Digital Certificate's status is deemednecessary, or step S244 in which confidence is not established and anon-line check is deemed necessary, or to the next decision step in thechain.

[0169] Thus, in decision step 8224, in which it is determined whetherthe sender of the Digital Certificate is listed in table a, that is theAAlwaysAcceptFrom@ table, if the sender of the Digital Certificate islisted in Table A then control flows from decision step S224 to stepS242 where confidence is established in the Certificate and thesub-process ends returning to step S208 in FIG. 8. If the sender is notlisted in table a then control flows from step S224 to the next decisionstep in the chain step S226 in which it is determined whether the senderof the DigitalCertificate is listed in table b, that is theAAlwaysCheckFrom@ table. Similarly, if the sender is listed in thistable control flows to step S244 at which an on-line check of theDigital Certificate's status is deemed necessary. Control returns fromstep S244 in the sub-process to step S210 in FIG. 8.

[0170] If the sender of the Digital Certificate is not listed in table bthen control flows from decision step S226 to the next decision step inthe chain which represents the next condition listed as a sub-branchlisted in the policy data. Thus, in decision step S228 a check is madeas to whether this Digital Certificate has been validated in the last 30days. This will involve looking up the Digital Certificate in thedatabase of stored Digital Certificates and extracting from the storedinformation the date on which the Digital Certificate was last checked.If the status of the Digital Certificate has been checked in the last 30days, control flows to step S242 where confidence is established. If theinformation in the database of stored Digital Certificates indicatesthat the Digital Certificate has not been checked in the last 30 daysthen control flows from step S228 to decision step S230 in which a checkis made to see if another Digital Certificate has been received from thesame company and if that Digital Certificate has been checked within thelast 10 days. This determination again involves checking the database ofstored Digital Certificates and information relating to those DigitalCertificates.

[0171] If the other Digital Certificate has been checked in the last 10days then control flows to step S242 where confidence in the receivedDigital Certificate is established. If not, then control flows to stepS244.

[0172] In the case of a monetary transmission, the conditions set out onthe policy data are stepped through in decision steps S232 to decisionstep S240. If in decision step S232 the sender of the DigitalCertificate is found to be listed in table x, which sets out the namesof companies and organisations for which no check of the DigitalCertificate status is deemed necessary, then confidence is establishedand control passes to step S242. Otherwise control passes to the nextdecision step in the chain which is decision step S234. At decision stepS234 if the sender of the Digital Certificate is founded listed in tableb, that is the AAlwaysCheckFrom@ Table, then confidence is notestablished and control passes to S244. Otherwise, control passes todecision step S236, where it is determined whether the amount for whichthe transaction is being made exceeds $10,000. This determination ismade with reference to the signed transaction data which will containthe monetary amount either in a manner pre-determined by the issuer ofthe certificate, or contained within the e-mail or associated e-mailsforming the transaction or transmissions. If the transaction is found tobe for an amount to be in excess of $10,000, or if the amount of thetransaction cannot be determined with a reference to the datatransmitted, then confidence is not established and control passes tostep S244. Otherwise, control passes to decision step S238 in which itis determined whether the Digital Certificate has been checked withinthe last 30 days. Again, this determination is made with reference tothe database of stored Digital Certificates and data relating to DigitalCertificates. If the certificate has not been checked within the last 30days then confidence is not established and control passes to step S244.If it has been checked, then control passes to decision step S240 where,if the previously determined amount of the transaction is deemed to beover $5,000 then confidence is not established and control passes tostep S244. If the amount of the transaction is under $5,000 then it isclassed as an acceptable risk to rely on the Digital Certificate,confidence is established and control passes to step S242.

[0173] These last two conditions allow the system to determine whetherto check the certificate's status based on recent trading history. Iffor example, a transaction is about to be made by a party for a modestsum, i.e. under $5000, and the search of the recorded transaction andcertificate details reveals that quite recently, the same party made atransaction and at that time their digital certificate was confirmed asbeing valid, then it is arguable that checking the validity of theparty's certificate again so soon after the first is unnecessary, and itis preferable to trust in the party rather than paying the validationfee a second time.

[0174] It will be appreciated that the instructions in the policy filemay be set out to reflect the level of confidence the company has in itscustomers or suppliers, based on the experience of individuals withinthe company, the amounts of transactions that are deemed allowablewithout significant risk and so on. The policy file may also be set upto implement more general policies which are to be used in conjunctionwith a record of transaction details for the holder of that digitalcertificate. For example any transaction that is offered by the holdermay be compared against the record of those that he has made before tosee if the amount and the goods and services requested are in keepingwith his trading history. If they are not, then it may be desirable tocheck the validity of the certificate to confirm that it is still validand guarantees the identity of the sender. If it has been revoked, thena third party may have acquired the original holder's private key and beattempting to make fraudulent transactions.

[0175] Having checked the policy data in step S204, confidence in thedigital certificate will either have been established or will not havebeen established. In decision step S206, if confidence has beenestablished then control passes to step S208 in which the transmissioncontaining the transaction is accepted. Control then passes to step S200where the module exits and control passes back to point A in FIG. 3 inthe case of a web browser, or point A in FIG. 5 in the case of an e-mailclient.

[0176] If in step S206 confidence in the digital certificate is notestablished, then control passes to step S210, where an on-linevalidation check is performed on the digital certificate. This mayinvolve checking to see whether the Digital Certificate has been revokedor whether, in the case of an eCommerce transaction, the issuer of theDigital Certificate will confirm a warranty for the amount promised inthe transaction. Control next passes to step S212, in which the validitystatus stored in the database for that certificate is up dated. Controlthen passes to decision step S214 in which, if the certificate was foundinvalid, control passes to step S198 where the transmission is rejected,or to step S208 where the transmission is accepted. Rejection of thetransmission may mean that it is deleted from the recipients mail boxbefore it has been opened, or that the transmission is marked with theword ‘rejected’ or some other indicator. Following either of steps S198or S208, control passes to step S200 where the module exits. Whenever atransaction is allowed to proceed the database is updated such that itincludes information about the transaction, such as date and amount, inorder that the information may be used in determining the need forfuture validation checks.

Recording of Information

[0177] The preferred system also provides an automatic way in which torecord transaction information for transactions carried out on-line. Inthis context, the word Atransaction@ and AeCommerce transaction@ areintended to mean an agreement promising money or money's worth madebetween two parties over the Internet, or even over the same network ofa company. Normally, the user himself is responsible for maintainingtransaction information by making hard copies of the relevant electronicrecords or by actively storing copies of any electronic records in fileson his computer. The reliance on manual methods to ensure these recordsare maintained is clearly both unreliable and labour intensive.

[0178] The preferred system on the other hand scans the informationcontent of all communications processed by the system for indicationsthat a transaction has begun or is taking place. Such indications arenumerous. The most straightforward is whether the link is secure or notas most web pages negotiate a secure link before a transaction iscarried out and close that link afterwards. Determining whether a linkis secure is achieved by examining the URL of the destination web page.A secure link is indicated by an ‘s’ after the prefix ‘http’. Thus, onemode of operation of the preferred system is to record all datatransmitted to a web page while a link is secure. The preferred systemalso maintains a record of web pages that negotiate secure links butthat are not eCommerce sites, i.e. those that are connected to otherthan to make purchases, and not record any data transmitted to thesepages. Such a web page might be Microsoft's Hotmail web page whichProvides an e-mail service.

[0179] Another indication might be simply the URL of the site. In thiscase the preferred system may be configured to record all datatransmitted to a web page which has been identified as that of anon-line trading company. Other indications might be an identified creditcard number, an electronic receipt, an e-mail acknowledging the sale,use of a digital certificate, in particular a digital warrantycertificate, or a purchases code.

[0180] Once a transaction has been identified as occurring, thepreferred system may record the details of the transaction by bothstoring in entirety each communication between a user and the identifiedtrader, or by scanning the transmissions and extracting particulardetails, such as date, amount, type of goods, quantity and so on.

[0181] Recording of transaction data may be stopped when the end of thetransaction is identified or after a predefined number of transmissionsbetween the purchaser and the trader have taken place. Similarly, once atransaction has been identified, the preferred system may record in thedatabase a predefined number of cached transmissions that took placeimmediately before the first recognised transmission of the transaction.

[0182] This will be useful when, for example, the first indication thata transmission is occurring is the detection of a credit card number oran electronic receipt, since these are likely to received at the veryend of a transaction. The prior transmissions may, for example consistof web pages containing information regarding the goods or servicesbeing purchased, or an exchange of e-mails where specification ordelivery terms were agreed. Note that it is perfectly possible for theprior transmissions to be of the same type as that in which thetransaction was detected, of a different type, or be a mixture of types.For example a user might visit a web site www.abc.com, obtain details ofgoods, and then order them in an email sent to orders@abc.com.

[0183] The preferred system records the transaction details in acentralised common database 42. Additionally, the database may be alocal file or a service on a network. The information stored in thedatabase may be encrypted using known encryption techniques so that onlya person with the necessary authorisation may access it.

[0184]FIG. 12 is an illustration of the operation of an exampleimplementation of a module for identifying when an electronictransaction is being conducted on-line. FIG. 14 illustrates the processby which the preferred system records an identified transaction in thedatabase, and FIG. 15 illustrates how the preferred system allows anidentified transaction to be approved or rejected on the basis of apredetermined approvals policy.

[0185] With reference to FIG. 12, the operation of a module foridentifying when an on-line transaction is occurring will next bedescribed.

[0186] The module begins operation at step S250 in response to receivingdata or in response to a user initiating transmission of data to aremote site. In the case of a web browser implementation this will beafter point A or after point C respectively as shown in FIG. 3; in thecase of implementation in an e-mail client it will be after point A or Brespectively as shown in FIG. 5.

[0187] Control then passes to decision step S252 in which it isdetermined whether, in the case of a web browser, a secure link has beennegotiated between the site transmitting data and the site receivingdata. This may be achieved by querying the URL address that has beenconnected to, as mentioned above, or interrogating the web browser tosee if encryption is being employed.

[0188] In the case of an e-mail message this step is omitted and controlpasses directly to step S260. Since on-line web browser transactionsusually involve the transmission of personal information, such name andaddress; credit card number or other account identifying information,secure links are usually negotiated as a matter of course. Thus thepresence of a secure link alone is a good indication that a transactionis taking place. However, secure connections may be negotiated forreasons other than the transmission of transaction details. Thus, if instep S252 it is determined that the connection is secure, control passesto step S254, in which the address of the remote site to which theconnection has been made is checked against a list of known sites whichdo not provide facilities for conducting on-line transactions but whichdo establish secure connections.

[0189] Browser based e-mail sites such as Microsoft's Hotmail site isone such example. Control then passes to decision step S256 where adetermination based on the previous check is made. If the site addressis identified as a non eCommerce site, that is one which does notfacilitate the making of a transaction, then it is determined that atransaction may or may not be occurring and control passes to decisionstep S260 to make further checks on the transmission content. If in stepS256 the site address is not identified as a known non eCommerce site,then it is assumed that an on-line transaction is occurring, and themodule exits at step S258.

[0190] If a secure connection is found not to have been established atstep S252, or if a secure connection has been established but to a knownnon-eCommerce site, as determined at step S256, or the transmission isan e-mail, then control passes to decision step S260. In decision stepS260, the first of a number of checks on the content of the transmissionare made in order to determine whether or not it is part of atransaction. In step S260, the transmission is scanned to see if itcontains a credit card number. The method for doing this has beendescribed with reference to FIG. 8. If a credit card number is found inthe transmission then it is assumed that a transaction must be occurringand control passes to step S258 at which the module exits. If no creditcard number is found then control passes instead to decision step S262where the transmission is scanned to see if it contains an account code.Account codes may be (for example) stored in a separate file which isaccessed by the module when performing this step or alternatively anaccount code may be identified from descriptive data in the transmissionsuch as a field name like “Account Number” or similar charactersappearing in the text of a message.

[0191] If indecision step S262 an account code is found, then it isassumed that the transmission constitutes part of a transaction andcontrol passes to step S258 where the module exits. If no account codeis found then control passes to step S264 where, in the case of a webbrowser, the URL is compared with a list of known eCommerce URLs storedin a file or in a database. In decision step S266, a determination onthat comparison is made. If the URL is found to be at a known eCommercepage, or within a known set of eCommerce pages, then it is determinedthat an eCommerce transaction is taking place and control passes to stepS258 where the module exits. Similarly, in the case of an e-mail, thedestination address may be compared against a list of known eCommercee-mail addresses, for example ‘orders@abc.com’, and if a match is foundthen it is determined that an eCommerce transaction is taking place andcontrol passes to step S258 where the module exits.

[0192] The checks that have been described are only representative ofthe possible checks that could be made to determine whether or not atransmission is likely to be part of an eCommerce transaction and arenot intended to be exhaustive. Furthermore, the order in which thechecks have been illustrated has no special significance. The order issimply dependent on the structure of the policy data as will be seenfrom reference to FIG. 13.

[0193] In step S268, a general check is illustrated which represents anyfurther check for an indication of a transaction, in addition to thosedescribed above, which a company decides it is desirable to employ, suchas searching for purchase codes or embedded codes placed in the data forexample. It is preferred that the web browser or e-mail client beingused in the preferred system allows the user to mark transmissions withan embedded code to indicate that the transmission is part of atransaction and should be recorded. Also, the embedded code could beplaced in the data by the web site or the e-mail client transmittingsome of the transaction data to the user's workstation.

[0194] Control passes to this step after step S266, if the site is notrecognised as a known eCommerce site and if such a transaction indicatoris found in step S268, then a transaction is deemed to be occurring andcontrol passes to step S258 where the module exits. If at step S268, nosuch indicator is found then no transaction is deemed to be occurringand the module exits at step S258. Following exit, the data may betransmitted, following points C and B in FIGS. 3 and 5 respectively, orbe processed following on from its receipt at point A in FIGS. 3. and 5.

[0195] In the example described, the aim is to start recordingtransmissions and possible transaction details if there is just asuspicion that a transaction is occurring. It is assumed that recordingdata which is not part of a transaction is preferable to not recording atransaction at all FIG. 13 is an illustration of the policy data used toidentify that eCommerce transaction is occurring and to control the wayin which the transaction data is recorded. The policy data isrepresented by a Transactions branch of the policy data tree whichsub-divides into two separate sub-branches called AIdentification@ andATermination@. The Identification branch is itself divided into fivesub-branches which correspond to the determinations made in the processillustrated in FIG. 12. The first of these sub-branches entitledAIfConnectionGoesSecure@ allows a user to specify whether recordingshould start when the plug-in module detects that the connection to theweb server has become secure. The conditions specified on the thissub-branch corresponds to decision step S252 shown in FIG. 12. It willbe appreciated with reference to FIGS. 12 and 13 that the flow ofcontrol shown in FIG. 12 corresponds to the layout of the conditionsspecified on the branches of the policy data tree shown in FIG. 13. TheExcludedSites branch of the IfConnectionGoesSecure branch contains areference to table q in which the web sites known to negotiate securesites but which are known not to be eCommerce web sites are listed.Table q is referred to in step S256 of the process shown in FIG. 12.

[0196] The next sub-branch of the identification branch is entitledAIfCreditCardNumberPresent@ and allows the user to specify whether thedetection of a credit card number should or should not be used toinitiate recording of data being transmitted or received. Thissub-branch corresponds to decision step S260. The PreviousPagessub-branch of the IfCreditCardNumberPresent branch lists the number ofweb pages, prior to the web page in which the credit card number wasdetected, which should also be recorded. Since credit card numbers arenormally submitted at the end of the transaction, the provision of thissub-branch enables previous web pages which are likely to contain thedetails and request of the transaction to be retrieved and stored. Theseweb pages are cached continuously by the preferred system so that shoulda transaction be identified they may be retrieved from the cache andstored in the database. This will be explained in more detail withreference to FIG. 14.

[0197] The next sub-branch of the Identification branch tree is entitledAIfAccountsCodePresent@ and allows a user to specify whether or not thedetection of an account code in the data being transmitted or receivedis to be taken as an indicator to initiate recording of the data. Theaccounts codes are identified in step S262 shown in FIG. 12 by referenceto table r. The reference to this table is contained in the AccountCodessub-branch of the IfAccountCodePresent branch. Note that this table alsoshows the number of previous pages to record, in a similar manner tothat described above for credit card identification, however in thiscase the number of previous pages to record is stored in table rallowing a different number of pages to be specified for each detectedaccount code.

[0198] The IfKnownECommerceSite branch allows the user to specify a listof URLs corresponding to sites, parts of single pages, where eCommercetransactions are known to take place. The current page URL is matchedagainst entries in this list to determine if a transaction is takingplace. The KnownSites sub-branch contains a reference to table s inwhich the URLs of known eCommerce sites are stored. The determination ofwhether the URL of the web site is a known eCommerce site is made indecision step S266 following step S264 of FIG. 12. Lastly, theIfOtherIndicatorPresent branch provides a way for the user to specifywhether or not the determination of other indicators should be used as astarting point for the recording of data. Two sub-branches of thisbranch entitled KeyWords and PreviousPages specify possible indicatorsthat may be detected, in this case key words listed in table t, and alsothe number of previous pages that are required to be stored if key wordsare detected.

[0199] The Termination branch of the Transactions branch divides intofour sub-branches which specify conditions which are used to end therecording of data being transmitted or received. Each sub-branch setsout a condition by which the end of the transaction may be defined. Thefirst branch entitled AIfConnectionGoesInsecure@ allows a user tospecify that the relinquishing of a secure connection by the web browserindicates the end of a transaction so that recording should be stopped.The other sub-branches specify that when the web site changes recordingshould stop, if a digital receipt is received recording should stop andrecording should stop after the receipt of 20 web pages followingidentification that a transaction is occurring.

[0200] It must be stressed that policy data shown in this diagram, inparticular, but also in the other diagrams is unique to each user. Notonly may a user specify whether or not particular conditions are to beacted on by setting the Yes or No variable accordingly, or by changingthe number of pages that are to be recorded for example, but also thestructure and arrangement of branches and conditions specified on thosebranches may be different from user to user. It will be appreciated thatwhile the example policy describes recording of transactions in a webbrowser environment, a similar policy would control the e-mailenvironment, omitting the secure connection option, but allowing policyto be defined for recording e-mails on detection of credit card numbers,account codes or other identifiable information within them, or wheree-mails are sent to known eCommerce addresses.

[0201] The full benefit of the method for identifying a transaction isrealised when the method is utilised along with means for recordingtransmissions between a user of the preferred system and a remote site.This allows a record of all transactions carried out by a user to bekept and maintained automatically. The records may be kept up to datewithout the need for making paper copies of each transmission receivedor sent. Thus, a company's record keeping is made considerably easierand more accurate.

[0202]FIG. 14 illustrates the operation of a module for recordingtransmissions which comprise a transaction. The module is initiated atstep S270.

[0203] If the module is implemented as part of a web browser, step S270is initiated at point A in FIG. 3 after the receipt of data or afterpoint C in FIG. 3 directly before transmission data to remote site. Ifthe module is implemented as part of an e-mail client step S270 occursafter point A in FIG. 5 after an e-mail has been received or after pointB in FIG. 5 just before an e-mail composed by the user is sent to arecipient. Following step S270, control passes to step S272 in which thetest for identifying a transaction, described above with reference toFIG. 9, is performed and a determination is made as to whether aneCommerce transaction is occurring or not. Control then passes todecision step S274 where, if it is determined that no transaction isoccurring control passes directly to step S276 where the module exits.

[0204] If a transaction is determined to be occurring however controlpasses to step S278 in which the policy is consulted against one or moreof the means of detection, the identity of the sender, the amount of thetransaction, or other parameters to determine which prior transmissions,if any, should be stored with the identified transmission, and in howmuch detail the transmission should be recorded. The policy might, forexample, require that a transaction involving a large sum of money berecorded in more detail than a transaction for a small sum. An exampleof this in operation might be the recording of every web page accessedduring the making of a transaction on an on-line trader's web site fortransactions involving large sums of money, but only recording thetransmission containing an electronic receipt for transactions forsmaller amounts.

[0205] As well as determining the amount of data to be stored, thepolicy file may also determine the nature of the data to be recorded.The entire transmission or web page may be recorded as a series of snapshots of the transaction, in the same way as web pages are stored incache memories for example, or alternatively, individual items of data,such as the date, the trader's identity, the amount and so on, may beextracted from the transmission or web page, and stored either on theirown or together with the snap shot data.

[0206] In this way, memory for storage can be used most effectively toensure that the most important transactions have sufficient space to berecorded. The amount of transaction data to be recorded may also dependon the trader's identity, geographical location, trading history withthe user's company, and the goods and services on offer.

[0207] In FIG. 13, the example policy data shows a simple scenario inwhich the amount of data to record is specified in terms of the numberof web pages that are to be retrieved from the pages cached in memory.The number differs depending on whether a credit card number, an accountcode or a keyword is identified. Furthermore, table r shows that withthe recognition of different account codes the number of previous webpages to store might be different, reflecting the relative importance ofthe account.

[0208] Extending this simple case to a more sophisticated one may beachieved by providing a higher level of detail in the policy data.Additional branches to the policy data tree could specify company orindividual names, or specific keywords relating to goods and/orservices; the amount of data to record depending on these keywords andnames as well.

[0209] Also, the tables might be expanded to refer to the amount ofdifferent types of data that should be stored. Data such as the companyname, what was being sold, the quantity and so on could be extractedfrom e-mail text, from the HTML text defining the web page, or from theDOM representation of the web page and stored in the database.

[0210] All web pages or information stored in the cache may beretrieved, or alternatively the system may retrieve only pages that havedetails in common with the page initially identified as being part of atransaction.

[0211] Alternatively, a list of all stored messages may be presented tothe user for the user to manually select those transmissions whichrelate to the identified transaction.

[0212] Following determination of how much data to record control passedto decision step S280. In step S280 if earlier transmissions, are to bestored, control passes to step S282 where the transmissions stored inthe local cache are retrieved. In the case of a web browser, this may bea determined number of prior pages, as described above. Where thetransaction was detected in a web browser, policy may also dictate thatthe cache is searched for prior e-mail messages relating to thetransaction, for example sent to or received from the same organisation.This may be determined by matching portions of the browser URL toportions of the e-mail addresses. Similarly, transactions detected ine-mail messages may cause both prior e-mails and prior web pages to beretrieved from the cache. Control then passes to step S284 in which theidentified transaction and any retrieved prior transmissions are storedin the system database 42.

[0213] In step S280, if earlier transmissions are not required, controlpasses directly to step S284 where the transmission identified as atransaction is recorded in the system database. At the same time as thetransmissions are stored in step S284, related data such as the useridentity, the amount and the other party to the transaction may also berecorded in the system database to form a complete record, although thiswill depend on the instructions of the policy data. Control then passesto S286 and the module exits.

[0214] Following on from step S276 after the module exits, the data maybe transmitted, following point A in FIGS. 3 and 5, or be processedfollowing on from being received at points C and B in FIGS. 3 and 5respectively.

[0215] Once a transmission has been identified as taking place alltransmission between the user and the other party may be recorded untilthe system detects that the transaction has been completed. Detectingthe end point of a transaction and stopping recording may be done in amanner similar to that described above for identifying whether atransaction is taking place. The most simple implementation is to recordtransmission information until an electronic receipt or shipping orderis received. Alternatively, recording of transmissions may caused tostop after a predetermined number of transmissions between the user andthe other party have occurred, or if a certain amount of time has passedsince the transaction was identified.

[0216] Transmissions may be made simpler if each time the user changesweb site the cache is emptied. This keeps the memory required for thecache memory low, as well as reducing the number of previoustransmissions that need to be searched if searching techniques are to beemployed.

[0217] It will be appreciated that the methods described above can alsobe used to record associated transmissions which occur after atransaction has been detected and recorded. For example, a transactionmade using a web browser will typically be followed by a confirmatorye-mail sent from the seller to the buyer.

[0218] This e-mail can be detected as forming part of the transaction,since it will contain common characteristics, such as order number,account number, goods description, price etc. It may also be sent froman address similar to the web site address, for example‘customerservices@abc.com’ when the original web site used to make thepurchase was ‘abc.com’. A time element is preferably used such that onlysubsequent transmissions which occur within a given time period areconsidered as being associated with the original transaction.

[0219] In addition to recording transaction information, it may beadvantageous to record other information which provides management withthe ability to analyse the behaviour of their users, for example toensure that the organisation is in fact obtaining real productivitybenefit from its adoption of electronic commerce. Such information isnot limited to the productivity of the user himself, but to the overallprocess, allowing for example a comparison of web purchasing sites todetermine which are the most efficient in terms of the purchase process,and therefore which will be of greatest benefit in reducing purchasingcosts. The preferred system provides for this by recording additionalinformation, such as the amount of time a purchase takes, the number ofkeystrokes and mouse clicks required to complete a purchase, the amountof ‘idle’ time while the user waits for pages to download or responsesto be received. This information can be recorded with the transactionrecord in the database, allowing statistical analysis to be carried outacross a range of transactions.

[0220] The time taken for a transaction can be determined by associatinga timestamp with each of the transmissions received. When it isdetermined that the transaction is complete, the timestamp associatedwith the first transmission (which may have been recovered from thecache in step S282) is subtracted from the timestamp associated with thelast transmission, and the result, which will be the overall transactionduration, is stored in the database in step 8284. Alternatively, firstand last timestamps could be recorded in the database and thetransaction duration calculated later. The number of keystrokes andmouse clicks can be determined in a Microsoft Windows based system byusing standard Windows ‘hooks’ into the operating system. Suchtechniques are described more fully in the document “Win 32 Hooks” byKyle Marsh of the Microsoft Developer Network Technology Group, dated 29Jul. 1993 available on the Microsoft Corporation web site(http://msdn.microsoft.com/library/default.asp?.

[0221] url=/library/en-us/dnmgmt/html/msdn_hooks32.asp).

[0222] The preferred system maintains counters of the number ofkeystrokes (using the WH_KEYBOARD hook) and mouse clicks (using theWH_MOUSE hook) that occur between each received transmission, associatesthese totals with the received transmission. Keystrokes and mouse clickswhich occur while another application has the focus (for example if theuser temporarily switches to another application) are ignored. When itis determined that the transaction is complete, the totals of keystrokesand mouse clicks which occurred between the first transmission (whichmay have been recovered from the cache in step S282) and the lasttransmission are added together, and the result, which will be the totalnumber of keystrokes and mouse clicks during the overall transaction, isstored in the database in step S284. Similarly, the web site transactionresponse time can be measured by noting the time at which each outboundtransmission request is sent, and then subtracting it from the time theresponse transmission is received. Aggregating the response timesbetween the start and end of the transaction will give the total timethe user spent waiting for the web site. Similarly the preferred systemalso counts the user response time, that is the time between atransmission being received, and the time a response is transmitted.

[0223] The preferred system also calculates how much of the userresponse time is spent entering data, and therefore allows the timerequired for the user to ‘absorb’ the incoming transmission (being thedifference) to be determined. The time spent entering data is determinedby maintaining a ‘stopwatch’. The stopwatch is reset each time a newtransmission is received, and is re-started immediately whenever theuser enters a keystroke or clicks the mouse. Should the user not enter akeystroke or click the mouse for a pre-determined period of time, forexample 5 seconds, the system assumes that the user is now absorbingdetails of the previous transmission and stops the watch. The watch isalso stopped when the keystroke or mouse click causes an outboundtransmission to be sent. Aggregating the time spent entering databetween the start and end of the transaction will give the total timethe user spent entering data on the web site. The aggregated times canbe stored in the database at step S284 for future analysis.

[0224] The preferred system also provides means for monitoringtransactions that are being made and automatically referring thetransaction for approval if that is deemed necessary. This processallows a large company to monitor and control the transactions beingmade by its employees using a single set of criteria set out in thepolicy data. The policy data may be referred to each time a transactionis identified in order to determine whether the user is authorised tomake that transaction himself or whether he needs to requestauthorisation from higher up in the company. The process is illustratedin FIG. 15 to which reference should now be made.

[0225] The module embodying this process is initiated at step S290. Thisinitiation preferably takes place as soon as all relevant details of thetransaction which need to be considered have been determined, and beforethe transaction is committed. In the case of an e-mail transaction,details such as goods and price are typically contained within a singlee-mail and can be considered prior to transmission of that e-mail. Inthe case of a web browser transaction, the existence of transaction maybe detected before all details are known, in which case initiation doesnot take place until they are. This does not normally present a problemas final commitment does not occur until the very end of the transactionprocess, well after all relevant details are known. Detection of thetransaction and relevant details may be determined in the mannerdescribed above with reference to FIG. 12. Referring briefly to FIGS. 3and 5, it will be seen that step S290 occurs after point C in FIG. 3 inthe case of web browser implementation, or after point A in FIG. 5 inthe case of e-mail client implementation once the required details areknown.

[0226] Control passes from step S290 to decision step S292 in which thedetails of the transaction are compared against the policy settings todetermine whether or not approval is required. The determination may bebased on the identity or the position of the employee making thetransaction, the amount of the transaction, or the other party in thetransaction. In some instances, approval might always be required, suchas if the financial director of a company wishes to review eachtransaction before it is made.

[0227]FIG. 16 is an illustration of example policy data that may be usedto determine whether or not a transaction requires approval from a thirdparty and also to determine the identity of an appropriate approver whois to be used. In this case, conditions in the policy data stipulatewhether approval is required depending on the transaction amount, andthe URL address of the other party to the transaction.

[0228] The relevant policy data is set out on the Transactions Approvalbranch of the policy data tree. This branch sub-divides into foursub-branches. The first branch is entitled‘MaximumUnapprovedTransactionAmount’ and defines a threshold amount fortransactions. Transactions for amounts over the threshold must beapproved by an approver before they are made.

[0229] The second sub-branch entitled ‘MaximumUnapprovedMonthlyAmount’defines a maximum amount for transactions that a user may make within amonth. In this case, any transaction made by the user which would causethe monthly total to exceed $2,500 will require approval from a thirdparty, as will further transactions made after that threshold has beenreached.

[0230] The third branch entitled ‘ExcludedSites’ refers to a tablecontaining web site and e-mail addresses of all sites which alwaysrequire approval from a third party before a transaction may be made.Finally, the last branch entitled ‘Approvers’ refers to a table in whichthe names of possible third party approvers are listed. Along side eachname is the maximum transaction amount for which that approver has theauthority to approve, and a list of excluded sites for which thatapprover may not approve a transaction. In the simplest of cases,approvers will be other computer users logged in on the same network asthe user making the transaction such as department managers, orsupervisors. The approvers will, by nature of their role, be members ofthe trading company who assume and who have the authority to assumeresponsibility for the financial transactions the company makes. It isalso possible that approvers might be drawn from a group of people whoare employed primarily for this role, such as people in the financialdepartment only.

[0231] If the conditions on the first three sub-branches of thetransaction branch indicate that approval is required an appropriateapprover may be found by scanning through the table of approvers untilan approver whose transaction limit is equal to or greater than of theproposed transaction and who is not prohibited from approvingtransactions to the relevant site is found.

[0232] It will be appreciated that the example policy data shown in FIG.16 is policy data that is specific to a single computer user, or groupof users, in the network. Other users, or groups, may have differentsettings and a different list of approvers.

[0233] It will be appreciated that the conditions to determine anappropriate approver may be introduced by creating new sub-branches ofthe policy data tree.

[0234] The operation of the approvals process could for example beextended to any kind of transmission, not just those comprising aneCommerce transaction. Such operation may be implemented by having theconditions defined or the sub-branches of the policy data specifyusernames, addresses or keywords for example that are to be identifiedin the transmission and acted upon. Thus, all e-mail transmissions to aparticular company or individual may be caused to require approval, orall e-mails containing predetermined information recognised via keywordidentification.

[0235] If it is determined in step S292 that no approval is required,control passes directly to step S294 at which the module exits.Following step S294 the transmission of the transaction is permitted andthe transaction may be proceed. Control returns from step S294 to pointC in FIG. 3 or to point B in FIG. 5.

[0236] However, if in step S292, after consulting the policy settings,it is determined that approval of the transaction is required, controlpasses to step S296 in which the particulars of the transaction are usedto determine an appropriate approver for the transaction.

[0237] The approver may be a company employee logged on at hisworkstation, or at a workstation with a dedicated approver function suchas Operator consoles 44, as shown in FIG. 2, or may even be an automatedprocess. In the case of a large company with a number of departments, itmaybe advantageous to have a group of approvers for each department,each group monitoring the department's accounts. This allowstransactions to be rejected before they are made if, for example if thedepartment head decides that he wishes to temporarily suspend purchases,or purchases of a particular nature.

[0238] Control passes from step S296 following determination of anappropriate approver to step S298 where an approval request istransmitted to the designated approver via systems approval queue 100.Following step S298 control passes to decision step S300 where it isdetermined if a response from the approver has been received. A timer isstarted the moment a request for approval is submitted. If a responsehas not been received in step S300 control passes to step S302 where itis determined from the timer whether or not a time out period haselapsed. Providing the period has not elapsed, control passes from stepS302 back to S300 where the system continues to wait for a response fromthe approver. Thus decision steps S300 and S302 form a loop in which thesystem waits until a response is received or until time out expires. Indecision step S300 once a response is received, control passes to stepS364 in which action is taken depending upon whether the transaction wasapproved or rejected.

[0239] If the transaction was approved control passes from step S304 tostep S294 at which the module exits and the transmission is allowed toproceed. If however the transmission is not approved then control passesfrom step S300 to step S306 at which the module exits. Exiting at stepS306 however prevents the transmission of the transaction from takingplace and returns the user to point A in FIG. 3 in the case of webbrowser implementation or to step S132 “compose e-mail” in FIG. 5 in thecase of e-mail client implementation.

[0240] Also, if in step S302 the ‘time-out’ is deemed to have expiredwithout a response from the approver having been received then controlpasses directly to step S306 at which the module exits.

[0241] The right hand side of FIG. 15 shows the steps involved for theapprover. The approval process is initiated in step S310, from whichcontrol passes to step S312 in which the approver's machine queries thesystems approval queue for any new approval requests. Control thenpasses to decision step S314. In step S314 if no request is pendingcontrol passes back to step S312 where the system queue is polled onceagain.

[0242] These steps are repeated until an approval request is received oruntil the approver deactivates the approval process.

[0243] In step S314 if an approval request is received, control passesto step S316 in which the approval request is downloaded from thesystems queue and the approver himself decides whether to approve therequest or refuse it. Control then passes to step S318 in which theapprover's response is transmitted back to the system approvals queueand from there back to the users work station.

[0244] Control passes from step S318 back to step S312 in which thesystem approvals queue is queried for new approval requests. It will beappreciated that the approvals process could be entirely automated insome circumstances. For example, transactions may be automaticallyrejected if the company does not have sufficient funds, if they wouldcause budget amounts to be exceeded, or if they are simply over amaximum amount. Such automation could alternatively be provided as partof the user process, such that an approvals request is not even made.

[0245] In determining whether to approve a given transaction, theapprover should ideally be able to have a complete view of it, forexample such that he/she can see exactly what is being purchased, ratherthan simply summary information such as total price and supplier. Thepreferred system provides for this by combining the features ofrecording transmissions described above, with the approvals feature. Theapprovals request submitted at Step S298 is supplemented with areference to the location in the database of the transaction informationstored in Step S284. The approver receives the location details in StepS316 and the system retrieves the transmissions which constitute thetransaction from the database, suitably displaying them such that theapprover can consider them in making his/her determination of approval.Operation then continues normally at step S318. Clearly it is importantthat the recording step S284 takes place before the approval request ismade at step S298, otherwise the recorded information will not yet beavailable. Since at step S284 the transaction will have been identified,but not yet completed (since it has not yet been approved), it isnecessary for the database record made in step S284 to contain a flagwhich identifies the transaction as “pending”. This flag can then beupdated in Step S316 to show that the transaction has been approved ordenied, or alternatively, if approval is denied the database record canbe deleted since the transaction did not take place.

Security

[0246] The preferred system provides means to assign an appropriatesecurity rating to the transmission in dependence on the identifiednature of the data being transmitted. The security rating assigned maybe set by the user of the system using the policy data to reflect hisneeds.

[0247] The simplest implementation of the policy data in this case is alist containing in a first column possible types of data, such asemployee passwords, employer passwords, credit card numbers, bankingdetails and so on, and containing in a second column, the desiredencryption strength (in key bits for example) deemed appropriate foreach data type. It will be appreciated that other ways of assigningsecurity levels in dependence on the determined nature of the data mayalso be employed within the scope of the invention.

[0248]FIG. 17 shows an example illustration of policy data definingappropriate encryption strengths for various types of data. The policydata takes the form of a number of key-value pairs arranged on separatebranches of the policy data tree. The key specifies the type of datathat is being transmitted such as passwords, credit card numbers,submitted key words and a general key for any other submitted data. Thevalues that correspond to these keys are the encryption strength in bitsthat is deemed appropriate for the transmission of the data specified inthe key. The key value pairs are arranged on several branches of theRequiredEncryptionLevel branch of the TransmittedDataSecurity branch ofthe policy data tree. Thus, in the example, it may be seen thatpasswords have a desired encryption strength of 40 bits, company creditcard numbers and personal credit card numbers both have a desiredencryption strength of 128 bits, submitted key words have a desiredencryption strength of 40 bits and other submitted data requires noencryption.

[0249] The SubmittedKeywords branch refers to particular words orstrings or text that have been designated as sensitive and requiringsome form of encryption. These may be usernames, address information,financial information or pre-selected words such as ‘Confidential’ orSecret’. The submitted keywords may be detected by referring to a tableor file in which they are stored.

[0250] Furthermore, each branch of the policy data may, instead ofgiving a general encryption strength, refer to a table in whichdifferent passwords or credit card numbers, for example, are listedalong with corresponding encryption strengths specific to each passwordor number.

[0251] Once a security rating has been assigned, the plug-in-moduleinterrogates either the web browser to determine the security of thelink that has been established by the web browser with the web serverfor transmission of that information, or in the case of an e-mailtransmission, the encryption settings that the user or application havedetermined will be applied to the message. Typically, this will be thecryptographic strength of the encryption algorithm used to encode thedata for transmission. Such transmission details are received by the webbrowser as part of the ‘electronic handshake’ from the web serviceprovider.

[0252] A secure link is usually indicated in a Browser window by thepresence of a closed padlock icon in the bottom right corner. A user canclick on the icon to interrogate the level of security that has beenprovided by the handshake. In doing so they may receive a notificationof the form ASSL secured. (128 bit). The first part of the notificationdescribes the type of the encryption used while the second partdescribes the encryption strength. The plug-in module is implemented toautomatically obtain this data from the browser so that it may be usedto determine whether or not the security level is adequate for aproposed transmission. Similarly, in the case of an e-mail message, theplug-in module determines the encryption settings that the user orapplication has specified are to be used prior to transmission of themessage.

[0253] The module compares,the specified encryption strength with thatof the link or message and depending on the result of the comparisonperforms one of the following actions:

[0254] a) If the security of the link is appropriate for the nature ofthe information being transmitted, the module allows the information tobe transmitted;

[0255] b) If the security of the link is more than that required for thetransmission of the information then, the module may either allow theinformation to be transmitted at that level of security, automaticallyrenegotiate with the web server and the web browser a new appropriatelevel of security and transmit the information at that level, or promptthe user that the present level of security is unnecessary and invitethem to take action.

[0256] c) If the security of the link is not sufficient for the natureof the information being transmitted then, the module may either preventthe transmission from taking place and warn the user, automaticallyrenegotiate with the web server and the web browser a new appropriatelevel of security and then transmit the information at that level, or inthe case of an e-mail automatically increase the encryption strengthsetting, or prompt the user that the present level of security is notsufficient and invite them to confirm that they still wish fortransmission to take place.

[0257] It will be appreciated that the plug-in module could beconfigured to respond to a difference in the determine desirable levelof security and that being provided in a number of ways and that theactions outlined above are only illustrative.

[0258] Further actions that may be taken by the system might includerequesting a different web page to be down loaded to the user's machineor modifying the submitted field data such that sensitive information isnot transmitted.

[0259] The operation of a browser or e-mail plug in module formonitoring the data being transmitted by a user of the preferred systemis illustrated in FIG. 18, to which reference should be made. The modulebegins operation at step S320 at point C in FIG. 3, just prior to thetransmission of the data to a web server or at point B in FIG. 5 justprior to transmission of an e-mail. Control then passes to step S322, inwhich the module parses the data about to be transmitted and searchesfor credit, card numbers. A possible method for doing this was describedearlier with reference to FIG. 8. If no credit card number is detectedin the data then control passes to step S314 in which the modulesearches for passwords in the data about to be transmitted. A method fordoing this has been described above,, with reference to FIG. 6. If noPassword is found in the data, then control passes to step S316 in whichthe module searches for company account or purchase codes in the data.Recognising account or purchase codes may be achieved by storing thecodes of the company in a file and attempting to match these codes withany strings of digits found in the outgoinq data. If no account code isfound then for indications of other sensitive data in the data to betransmitted. Such indications will need to be defined in advancepreferably in a separate file used for detection, and will be dependenton the requirements of the users of the preferred system. Examples mightbe specified keywords relating to projects the company is undertaking,project titles, themselves, personal details address of the recipient ofthe data, or of the sender, or even the word ‘confidential’ or ‘private’included in the data itself

[0260] If no such indications are found that the data is sensitive andrequires stronger protection before it is transmitted, then thetransmission is allowed to proceed at the current level of encryption.This may mean that transmission takes place without any encryption beingapplied.

[0261] If however any of the checks in steps S322 to S328 reveal datathat is deemed sensitive then control passes to step S332 in which asecurity rating is assigned to the detected data. This is achieved bycomparing the detected data with pre-determined entries in the policydata.

[0262] Each entry on the branch of the policy data has a pre-assignedlevel of encryption which is the minimum level that may be used fortransmission of that data. The entries in the table and the assignedlevel of encryption, as with all the policy settings, are decided by thecompany using the preferred system in dependence on their requirements.Assigning a security rating is then simply a matter of looking uppassword, credit card number or other data in the policy data andreading off the corresponding rating. References to tables on a subbranch of the policy data may be used to allocate different encryptionstrengths to different passwords, credit card numbers and so on.

[0263] Once the appropriate security level has been determined in stepS332, control passes to step S334 in which the module determines thelevel of encryption that has been negotiated with the web server towhich the data is being transmitted, or is to be used by the e-mailapplication prior to transmitting the message. This may be achieved byinterrogating the web browser or e-mail application, or by settingencryption strength variables at the time the link is established ore-mail encryption requirements determined, both of which will occurprior to transmission.

[0264] Control then passes to decision step S336 in which the desiredlevel of security, i.e. the encryption strength, is compared with thatdetermined in the previous step. If the desired level of encryption islower than or equal to that determined in step S334, then there isdeemed to be enough protection for the data to be transmitted andcontrol passes to end step S330, where the module exits. Following stepS330, control returns to either point C in FIG. 3 or point B in FIG. 5depending on whether the module is implemented in a web browser or ane-mail client. Transmission of the data may then proceed in the usualway.

[0265] If however in step S336, the desired level of encryption isgreater than that currently set, then the module does not allowtransmission to go ahead until the proper level of encryption has beennegotiated. Control passes to decision step S338 in which the moduledetermines if it is able to increase the encryption strength, and if sopasses control to step S340 where a new stronger encrypted link isnegotiated, or in the case of an e-mail a higher encryption strengthset.

[0266] The highest level of encryption that is available depends on thesoftware being used by both the web server and the web browser, or inthe case of an e-mail by the sending and receiving e-mail applications.There may then be cases in which the appropriate level of encryption isnot available by one party and transmission of the data is never allowedto proceed. Furthermore, certain types of data may be given a securityrating that indicates that no level of encryption will ever be highenough to protect it, ie: preventing that data from ever beingtransmitted.

[0267] Having attempted to re-established the link, or changed thee-mail encryption settings, to a higher encryption strength, controlpasses back to step S334 to ensure the link or settings are now at asuitable strength. If the appropriate encryption level cannot berenegotiated in step S338 or an attempt to increase the encryptionstrength at step S340 has not been successful, then it is deemed unsafeto transmit the data, and control passes to end step S342 where themodule-exits. Following exit at step S342, control returns to point A inFIG. 3, or to step S132 in FIG. 5 ‘compose e-mail’, for the user toreconsider and edit or abort the transmission. A suitable message mayalso be displayed to the user explaining the reasons for thetransmission being prevented.

[0268] The preferred system therefore provides a way of ensuring thattransmission of data is as secure as possible. It precludes thepossibility of a user forgetting to secure a transmission, andnegotiates a more appropriate level of security if that being used isnot sufficient.

[0269] Web Browsers may provide similar facilities to warn the user thatuser entered data is about to be sent over an insecure link or providefacilities to encrypt all messages by default. The preferred systemhowever provides the ability to examine the content of data to betransmitted to determine its security requirement, to allow or preventtransmission based on such security requirements, and on the determinedsecurity level of the link (encryption strength). It will be appreciatedthat the preferred system provides a significantly improved system forsecure transmission which reduces the possibility of human error.

Monitoring Out-Bound E-Mails for Sensitive Information

[0270] In addition to the problem of sensitive data being intercepted bya third party between sender and recipient, organisations are atconsiderable risk from the deliberate release of sensitive informationby their users. For example, the practice of “electronically” stealingcopies of confidential documents, such as customer lists, before leavingthe employ of an organisation is easily achieved, virtually untraceable,and consequently widespread. All that is required is for the user tosend the document to his own private email address for later retrieval.The document need not even be sent via the organisation's own e-mailsystem, since an internet mail service, such as “Hotmail” may be used,making tracing the unauthorised ‘leak’ virtually impossible by currentmeans.

[0271] In addition to providing means to ensure that an appropriatelevel of encryption is applied to messages, the preferred system allowsmessages identified as potentially sensitive to be automaticallyredirected or copied to another destination without the users knowledge.In determining whether to re-direct such messages the preferred systemtakes into, account a number of factors including the identity of thesender, the identity of the intended recipient, the nature of theintended recipients address, the nature of the message content, thenature and existence of any attachments to the message, the means bywhich the message is intended to be transmitted, and whether or not themessage, and/or any attachments, are encrypted.

[0272] The nature of the message can be determined by scanning it forone or more keywords, or combinations of keywords, or by using standard‘natural language query’ techniques. The nature of the intendedrecipients' address may be determined by reference to a list of knowninternet mail service domains. For example “hotmail.com”, “yahoo.com”and “aol.com” are all predominantly used by individuals, notcorporations. Similarly, the address may be examined for similarities tothe senders name, for example an email known to be sent by Fred Smith tothe address “smith900@aol.com” could be considered suspicious by theinclusion of both “smith” and “aol.com” in the recipient address.Further examination of the message may support the likelihood of itbeing an unauthorised release of confidential data, for example if themessage consists only of file attachments with the message text andsubject blank, an important clue since the sender may be less likely totype text only he will read. The means by which the message is beingtransmitted is an important factor, for example a transmission sentusing an internet mail service such as hotmail may be considered muchmore suspect than one sent through the usual corporate e-mail system.

[0273] Indeed the ‘uploading’ of files to an internet mail service ispotentially so suspicious that the preferred embodiment provides meansto prohibit the uploading of files to such services altogether.

[0274] When re-directing mail, the preferred system adds additional textto the beginning of the mail, for example “_ _ _ Redirected.Mail - - -”, together with the addresses of the originally intended recipients,such that the new recipient can determine that it was re-directed tohim/her, and to whom it was originally sent.

[0275] If the forwarded message is to be encrypted, the preferred systemmay re-direct the message encrypted or unencrypted to the third party.Preferrably, the sender's encryption key is transmitted with the messageand means are provided for the third party to, unencrypt the message, ifit has already been encrypted, and encrypt the message with the originalsender's encryption key for transmission.

[0276] The preferred system also identifies incoming mail which has beenredirected (ie sent to a user who is not the originally intendedrecipient), by searching for the “- - - Redirected Mail - - - ” text.Such mail can be flagged for attention by the new recipient for exampleby using special icons, or by putting up a message box to notifyhim/her. Means may also be provided to allow the new recipient to easily‘approve’ the message and have it sent to the originally intendedrecipient(s). This can be achieved, for example by providing an“Approve” button. If this button is pressed, then the preferred systemcreates a new message in the same manner as if the user had pressed thenormal “Forward” button. However, instead of adding text to the messageto note that it has been forwarded, in the case of the “Approve” button,the system extracts the originally intended recipient list from themessage, and then strips out the redirection details to leave themessage in its original state. The destination fields “To”, “Cc” and“Bcc” are then automatically filled with the extracted originalrecipient addresses, and the “From” field (which exists for everymessage even if it is not normally displayed) is filled with theoriginal sender's name/address. The date/time field can also be adjustedto the date/time of the original message. The message is then sent,either automatically, or when the user presses the “Send” button. Inthis way, with the press of just one or two buttons, the re-directedmail can be approved and sent, and when delivered, will appear to havecome from the original recipient as if redirection had never takenplace.

[0277] Sample policy data for controlling the operation of a plug-inmodule implemented to re-direct mail is shown in FIG. 19 and a schematicillustration of the operation of such a plug-in module is shown in FIG.20. FIG. 19 is a policy data tree having a number of branches whichcorrespond to decision steps in FIG. 20.

[0278] The plug-in module is initiated at step S350 which corresponds topoint B in the illustration of the e-mail client operation in FIG. 5.Once initiated, the plug-in module steps through six steps determiningdifferent particulars of the outbound e-mail message. Firstly, in stepS351 the identity of the person sending the e-mail is checked againstentries in a predetermined list of names or addresses. E-mails fromusers on this list are deemed to have the authority to transmit e-mailsdirectly to the intended recipients regardless of the contents of themessage and regardless of the recipient. Anybody, not included on thelist may have their e-mail re-directed or not depending on its content.Thus, in decision step S351, if the user's name or address is found onthe list, then control passes to step S364 here the e-mail is allowed tobe transmitted without further interaction. If however, the user is noton the list, control passes to step S253 for further checks. In stepS352 the recipient of the outbound e-mail message is checked againstlook-up table s, specified on the Recipients branch of the policy datashown in FIG. 19. In the following decision step S354, the textcomprising the e-mail message, and any attachments attached to thee-mail message, is compared with entries in a look-up table t. Table tis referred to on the Keywords branch of the policy data and containswords that indicate the nature of the e-mail message might be sensitiveto the company. In the next step S356, the e-mail message is checked tosee whether or not it is to be encrypted. It will be remembered thatencryption does not occur until the moment the e-mail is transmitted, soat this stage the e-mail will only be flagged for encryption. In thenext decision step S358, it is determined whether or not the e-mailmessage contains attachments, and in the following decision step S360whether the e-mail message contains text to accompany the attachments,that is whether the body text of the e-mail message is blank.

[0279] In any of the decision steps S352, S354 or S362 where a look-uptable is consulted, a match between an entry in the look-up table and anentry in the e-mail indicates that the e-mail should be re-directed to athird party for checking before being sent out of the company. Forexample, if in step S354, the e-mail is found to contain the words‘confidential’ or ‘secret’, that will be enough to warrant the e-mailbeing checked by a third party before it is delivered to its intendedrecipient. This ensures that sensitive information is not sent out ofthe company without the company being aware. Control flows thereforefrom these steps to step S364 where text indicating that the email hasbeen redirected is added to the message, and the recipient address ischanged to that of the verifying party to whom the re-directed messageshould be transmitted. Control then passes to step S366 where the e-mailis transmitted. If the e-mail message has been marked for re-direction,in step S336 it will of course be transmitted to the verifying party forreview rather than the original recipient of the message.

[0280] In decision step S356 if encryption of the message is detectedthen that is deemed enough to warrant re-directing the message to athird party for review. Accordingly, if the message is to be encrypted,control passes from step S356 to step S364 where the message is modifiedfor re-direction. In the case of a message flagged for encryption, theencryption flag is preferably cleared, such that the message isre-directed without it being encrypted, allowing the new recipient toread it. The redirection text, added to the message, preferably alsoincludes the encryption key (which is generally the intended recipient'spublic key, and therefore not sensitive) such that the message can bere-encrypted prior to transmission.

[0281] Alternatively, the intended recipient's entire digitalcertificate could be included with the re-directed message. The publickey, or certificate, as the case may be, would then be removed by theautomated approval process described above.

[0282] If in step S358 the e-mail does not contain attachments then thee-mail is deemed to be unlikely to contain any documents or files ofpotentially sensitive information, and the e-mail is thus allowed to betransmitted without any further intervention in step S364. If the e-maildoes contain attachments, and in step S360, the e-mail is determined notto contain any text entered into the body or the subject of the message,then the message is recognised as one that is likely being sent to adifferent account of the sender. The e-mail is then forwarded in stepS362 and S364 to a third party for checking.

[0283]FIG. 21 shows the operation of the plug-in module to block theup-load of information from the company's computer system to an externalsite. A simple two stage check is used, comprising a check of theexternal site address in S372, following initiation at step S370, and acheck of sensitive keywords in the information being uploaded in stepS374. Providing the external site address is not found to be aprohibited site in step S372, and no sensitive keywords are detected instep S374, then up-load is allowed to proceed in step S376. Otherwise,the up-load is blocked in step S378.

[0284] The policy data for controlling the operation of the plug-inmodule for selectively blocking upload of information isstraightforward, and is shown at the bottom of FIG. 19.

[0285] In this way, outbound transmissions containing sensitiveinformation that are being transmitted for reasons that are not in thecompany's interests can be verified before transmission, andtransmission can be prevented if necessary.

Managing Forwarding of E-Mails

[0286] E-mail applications provide means to “Forward” incoming mail toone or more users. The user typically clicks a “Forward” button, whichcauses a copy of the incoming mail to be automatically entered into themail composition window, as if the user had keyed it himself. All thatis then required is for the user to enter the names of the intendedrecipients of the forwarded mail and to click the “Send” button. This isa useful feature allowing a user to easily share the contents of areceived e-mail with others.

[0287] A problem can arise however in the case of mail containingsensitive information, particularly if the sensitive nature of the mailis not immediately apparent, for example if the sensitive informationappears lower down in the mail, such that the user is required to scrolldown the viewing window in order to read it. Users frequently forwarde-mails after scanning only the first few lines, or in some cases onlythe subject line, particularly when they have large amounts of e-mailsto process. As a consequence, sensitive information is oftenunintentionally disclosed, both within the organisation, and moredangerously, outside it. There have been several high profile caseswhere considerable sums have been lost as a result.

[0288] The preferred system therefore provides means of controlling theforwarding of e-mails. Such controls include providing warnings to theuser before a forwarded e-mail is transmitted and preventing the e-mailfrom being forwarded altogether. Means to approve the e-mail prior totransmission, or to re-direct it to another user, as described abovecould also be provided.

[0289] Preferably, forwarding occurs in accordance with the content ofthe e-mail, and the addresses of the recipients to whom it has alreadybeen sent. For example, the sensitive nature of the e-mail can bedetermined by a number of methods including scanning it for keywordssuch as “confidential”, or by checking if the sensitivity attribute hasbeen set to “Personal”, “Private” or “Confidential”. Means for theoriginal composer of the message to mark is as unsuitable for futureforwarding can also be provided by inserting pre-defined keystrings,such as “<NOFORWARD>” (preventing any forwarding), or“<NOFORWARDEXTERNAL>” (preventing forwarding outside the organisation).Such means could also be provided in the form of an additional attributeto the message.

[0290] In addition to content based factors, the preferred systemqueries the list of previous recipients of the message. If the e-mailhas already been sent out of the organisation by the original composer,then it may for example be considered safe to allow it to be furtherforwarded externally. Similarly, if the original e-mail was only sent toa single recipient, then it may be determined that the original composerdid not intend it to be widely circulated and an appropriate warningcould be issued. The course of action in response to the factorsdescribed can be determined in accordance with policy.

[0291] The fact that an e-mail that is about to be transmitted is aforwarded e-mail can be readily determined by scanning the e-mail forkeystrings such as “- - - Original Message - - - ” which isautomatically added at the beginning of the original mail by the E-Mailprogram. Similarly, the list of previous recipients can be determined byscanning for the keystrings “To:” and “Cc:” which follow the originalmessage string. The list of recipients is found immediately after thesekeystrings. Internal and external recipients can be readilydistinguished by reference to the domain name (if any). For example, arecipient name shown as “Fred Smith” is typically internal, whereas“fsmith@xyz.com” is typically external.

[0292] Policy data for instructing the operation of a plug-in moduleimplemented to control forwarding of e-mail messages is shown in FIG.22, and the operation of such a module in FIG. 23.

[0293] The policy data tree contains a number of sub-branches specifyingparameters against which command values can be set. For example, thefirst sub-branch “PreventAll” when set to YES instructs the module toprevent all e-mails from being forwarded. The next sub-branch WarnAllwhen set to YES, requires the module to give a warning to the e-mailclient user whenever an e-mail is about to forwarded. The next twosub-branches PreventExternal and WarnExternal contain correspondingparameters for external e-mails only and allow the user of the e-mailclient to distinguish between rules affecting forwarding of e-mailswithin the company and forwarding of e-mails to people outside thecompany. The “PreventKeywords” branch specifies a look-up table in whichkeywords indicative of sensitive information are stored Such keywordsmay be predefined key strings such as <NOFORWARD> or<NOFORWARDEXTERNAL>, or one or more pre-determined words.

[0294] The e-mail is scanned before transmission and if such a keywordis found in the text of the e-mail or in any attachments of the e-mail,the e-mail will not be allowed to be forwarded. The last twosub-branches PreventIfNotSentExternally when sent to YES will inhibitthe transmission of the forwarded e-mail outside of the company if ithas not been transmitted outside of the company before. In practice theforwarded e-mail may be transmitted to all of the recipients internal tothe company, with the external recipients simply being deleted from therecipient list or alternatively, before transmission, the user may berequired to modify the address list such that it does not containexternal recipients.

[0295] Finally, the parameter set on the PreventIfSingleRecipient branchwhen sent to YES prevents forwarding of any e-mail messages if theoriginal recipient of the message was a single person.

[0296] The operation of the plug in module is illustrated in FIG. 23.The plug-in module is initiated at step S380, again at point B in FIG.5. In decision step S382, the e-mail is given a preliminary scan to seewhether it contains the keystring. “- - - Original message - - - ”,since this key string is automatically added at the beginning of theoriginal mail by the e-mail program when generating a message forforwarding. If the e-mail message does not contain this keystring, thenit may be deduced that the e-mail message is an original message and isnot being forwarded and the message may be transmitted in step S384. Ifhowever in step S382 the message is found to contain the key string“- - - Original message - - - ”, then the e-mail message is clearly aforwarded message, and the module takes further steps to determinewhether or not to allow the forwarded message to be transmitted. Controlthen flows to step S386 in which the reipients of the forwarded messageare checked to see if any are external to the on-line company. If thereis an external recipient, then in step S388, the plug-in module scansthe e-mail message to see whether the e-mail has been forwarded to arecipient outside of the company before. If it has not then the e-mailmessage is prevented from being forwarded in step S390 and the user ofthe e-mail client is notified. However, if the e-mail message hasbeen-sent out of the company before, then a warning is issued to theuser in step S392, following which the e-mail message may either betransmitted by the user or may be returned to the user for him to revisethe intended recipients.

[0297] If in step S386 the forwarded message is not to be sent to anaddress outside of the company, then control passes to step S394, inwhich it is determined whether the user was the only recipient of theoriginal message. If he was, then it maybe the case that the originalcomposer of the message did not intend for it to be transmitted to awide audience. Accordingly, control flows to step S390 where thetransmission of the forwarded e-mail message is blocked. This is inaccordance with the policy data shown in FIG. 22, which specifies takingsuch action. Alternatively, a warning may be issued to the userattempting to forward the message.

[0298] The last check made is in decision step S396 in which thecontents of the message and any attachments attached to it are comparedwith entries in a keywords table. If any matches between entries in thee-mail and those in the table are found then the message is consideredto contain sensitive information and is not forwarded. The module thenends at step S390. If no sensitive keywords are found then the e-mail isallowed to be forwarded in step S384.

Managing Signing of Out-Bound Transmissions

[0299] The ability to use a Digital Certificate to sign a message isclearly valuable to the recipient of the message in establishing theidentity of the sender, and to both parties in ensuring the message isnot tampered with. The sender of the message should however be awarethat a digitally signed message potentially constitutes a bindingcontract, which cannot be denied or revoked once sent. It is thereforeimperative that care is used when digitally signing a document, just ascare should be exercised when appending a written signature to a paperdocument. E-mail applications, such as Microsoft Corporation's “Outlook”provide means to digitally sign messages automatically, and while thismay be valuable in confirming the identity of the sender to therecipient, for the reasons described above, it is also potentiallydangerous, requiring the user to take extreme care with the messagecontent.

[0300] The preferred system provides means to control the signing ofoutgoing messages, according to policy data. Sample policy data is shownin FIG. 24. Such controls include:

[0301] enforcing that a message be signed;

[0302] suggesting to the user that a message be signed;

[0303] suggesting to the user that a message should NOT be signed; and

[0304] preventing a message being signed.

[0305] In determining which course of action to take, the preferredsystem takes into account a number of factors, including the nature ofthe message content (including any attachments), the identity of theintended recipient and/or his organisation, the identity of the sender,the nature of the digital certificate being used (if the message hasalready been flagged for signature), and the nature of the digitalcertificate(s) available to sign the message.

[0306] The nature of the message can be determined by scanning it forone or more keywords, or combinations of keywords, or by using standard‘natural language query’ techniques. Similarly, the nature of theintended or available digital certificates can be determined byreference to the issuer and type of certificate.

[0307]FIG. 25 illustrates the operation of a plug-in module for ensuringthat an e-mail is appropriately digitally signed or not. The module isinitiated in the step S400, at point B in the operation of the e-mailclient illustrated in FIG. 5. Control then passes to decision step S402in which the outbound e-mail is scanned to see whether it has beenmarked for signature already. Actual signing of the message will notoccur until directly before transmission. If it is not marked forsignature control passes to S404 where the module consults a Recipientslook-up table (table f) to determine whether the Recipient of theoutbound e-mail has been identified-as one to whom e-mails should alwaysbe digitally signed. If the Recipient is in table f, then control passesto step S406 where the user of the e-mail client is notified that thee-mail will not be sent unless it is digitally signed. Alternatively,the plug-in module may automatically digitally sign the e-mail using thee-mail author's digital certificate.

[0308] If in step S404, the recipient of the outbound e-mail is notfound in the look-up table, then control passes to decision step S408where the KeywordsTable on the EnforceSigning branch of the policy treeis then consulted. Should any of the keywords in table g be found in thetext of the e-mail or in any of the attachments of the e-mail, digitallysigning of the e-mail will be required, and control will pass to stepS406 as before. It will be appreciated that decision steps S404 and S406correspond to look-up commands for consulting look-up Recipients andKeywords tables on the EnforceSigning branch of the policy data.

[0309] Such Keywords may be predetermined words like “Confidential”,“Secret”, “Contract”, “Quotation”, “Order” and so on as illustrated inFIG. 24.

[0310] If the recipients of the e-mail are not to be found in table f,and the e-mail does not contain Keywords specified in table g, thencontrol passes to decision step S410 corresponding to a look-up commandon the SuggestSigning branch of the sample policy data. In decision stepS410 the recipients address is checked against those in the look-uptable h to determine whether signing of the e-mail is advised. If therecipient's name is found in table h, then control passes to step S412,where the user of the e-mail client is notified of the desirability todigitally sign the outbound e-mail message. However, the user of thee-mail client is not required to digitally sign the e-mail message andthe e-mail may therefore be transmitted without signature if the user sochooses. Following decision step S410, if the recipient's name is notfound in table h, control passes to decision step S414, where as before,the e-mail text is searched for a number of keywords which mightindicate that it contains sensitive data and requires a digitalsignature. Depending on whether the e-mail contains such sensitivekeywords, the user of the e-mail client is either notified in step S412of the desirability to digitally sign the message, or alternatively, thee-mail message is transmitted without signature in step S416.

[0311] If in step S402 following initiation of the plug-in module, thee-mail is found to have been marked for signature then control passes todecision step S418. In decision step S418 the plug-in module consultslook-up table m in the DenySigning branch specified under theDenySigning branch of the policy data. Table m is specified on theCertificatesUsed branch under the DenySigning branch, and specifies theissuer, type, certificate number or signing key of digital certificatesthat are deemed of interest. Should the digital certificate or signingkey that is to be used to sign the outbound e-mail be found in table m,then further checks as to Recipient and the nature of the outbounde-mail will be made to determine whether it is appropriate to sign themessage or not. Control passes to step S420, where the recipient of theoutbound e-mail is checked against Recipient table n and then todecision step S422 where the text of the e-mail and any attachments arescanned for various keywords. If in either of decision steps S420 orS422, the recipient or any text in the message match that defined in thelook-up tables control passes to step S424 where transmission of thee-mail is blocked. The user of the e-mail client may then be returned tothe e-mail text entry stage, and he may be required to re-transmit themessage without digitally signing it.

[0312] If in either of steps S418 or S422 the certificate or signing keyis not found to be one of interest, and the text of the e-mail is foundnot to contain any sensitive words, control passes to step S426 whichcorresponds to the first sub-branch on the SuggestNotSigning branch ofthe policy data tree. As for the DenySigning branch of the policy datatree, the three decision steps S426, S428 and S430, correspond to thelook-up commands for checking the digital certificate or signing keyused with the e-mail, the recipient of the outbound e-mail and the textof the outbound e-mail against predetermined sensitive entries inlook-up tables j, k and l respectively. If in step S426 the certificateused to sign the outbound e-mail is found to be one of interest, and ineither of steps S428 or step S430, the recipient or the text of theoutbound e-mail is found to match entries in the specified look-uptables, control will flow to step S432 in which the user of the e-mailclient will be notified of the desirability of not digitally signing theoutbound e-mail message. The user however may still be free to send thesigned e-mail message if he so wishes.

[0313] If in either of decision steps S426, S428 and S430 no match isfound then the e-mail is sent normally in step S416.

Instant Messaging and Telephony Applications

[0314] In addition to browser and email activity, additionalapplications such as Instant Messaging (also known as ‘chat’) anddigital telephony applications such as “Voice Over IP”) are now becomingpopular in business situations. Instant Messaging standards are definedin RFCs 2778 and 2779 and by the IETF SIMPLE working group. Voice OverIP standards are defined in ITU-T Recommendation H.323 (1998). Manyaspects of the present invention can be applied to the data transmittedand received by such applications. Instant Messaging is conceptuallysimilar to a series of sent and received emails, except that the‘conversation’ is carried out ‘live’ with both parties presentthroughout. For the purposes of the present invention however theprocedures are identical. FIG. 5 in the drawings can represent InstantMessaging by replacing the word “E-mail” in steps S122, S124, S132 andS134 with the word “Message”. The “E-mail Server” description 95 isreplaced with “Message Relay”. The preferred embodiment is arranged soas to intercept at points A and B as before, by providing a plug-in tothe Internet Messaging application, or by developing an InstantMessaging application which contains the plug-in functionality.Alternatively, it will be appreciated that the interception could occurat the protocol level, intercepting network packets before they leavethe user machine, or as they arrive at the user machine, or at someintermediate point on the network.

[0315] Voice Over Internet Protocol (VOIP) is conceptually similar toInstant Messaging, except that the message content consists of digitisedspeech, which is encoded and transmitted immediately. Message contentanalysis is impractical, however means to record the message and toplace controls at the ‘call’ level are viable and are implemented in asimilar manner, either as a plug-in to the voice messaging application,or at the network protocol level, either within the user machine, or atsome intermediate point on the network.

[0316] Although the implementation of the preferred system has beendescribed with reference to plug-in modules for existing applications,the invention may be implemented by providing web browsers, e-mailclients, instant messaging applications or Voice Over IP applications inwhich the functionality of the plug-in modules described here is alreadycoded from the outset.

1. An information management system comprising: a plurality ofworkstations adapted for connection to a computer network, eachworkstation having a memory; a data repository arranged to receive datafrom each of said workstations; an application stored in said memory ofeach workstation for transmitting outbound data to said network andreceiving inbound data from said network; policy data containing rulesdefining relevant data which is to be stored in said data repository;and an analyser, said analyser being operable in conjunction with saidpolicy data to monitor at least one of said outbound data and saidinbound data, to identify in at least one of said outbound data and saidinbound data, relevant data that is to be stored in said data repositoryin accordance with said rules in said policy data, and to cause saidrelevant data to be stored in said data repository.
 2. The system ofclaim 1 wherein said relevant data that is to be stored in said datarepository is encrypted prior to it being transmitted to said datarepository.
 3. The system of claim 1 wherein said relevant data that isstored in said data repository is encrypted.
 4. The system of claim 1wherein said computer network, to which said one or more workstationsare adapted for connection, is the Internet.
 5. The system of claim 4wherein said analyser is operable to identify, as relevant data, atleast one of usernames and passwords used to identify a user, andusernames and passwords used to access web pages on the Internet, andthe URL address of the web page at which those usernames and passwordsare used, said identified usernames, passwords and said identified URLsbeing stored in said data repository.
 6. The system of claim 5 whereinsaid analyser is operable to identify usernames and passwords from thefield names of data contained in at least one of said outbound data andsaid inbound data.
 7. The system of claim 5 wherein a representation ofthe input fields of a web page is stored in said memory of said one ormore workstations, and wherein said analyser is operable to identifyusernames and passwords from said representation.
 8. The system of claim5 wherein said analyser is operable to identify usernames or passwordsfrom the field types of data contained in said outbound or said inbounddata.
 9. The system of claim 4 wherein said analyser is operable toidentify, as relevant data, digital certificates contained in at leastone of said outbound or said inbound data or used to digitally signsigned data in said inbound data or said outbound data, or sufficientdescriptive data to identify such digital certificates, said digitalcertificates and/or said descriptive data being stored in said datarepository.
 10. The system of claim 9 wherein said analyser is operableto identify one or more of the following data as relevant data: whetheror not said digital certificate has been revoked; the identity of theholder of said digital certificate; the amount of any eCommercetransaction being made that is related to said digital certificate; thegoods or services being sold in any eCommerce transaction being madewith said digital certificate; the date of receipt of said digitalcertificate; and wherein said identified data is stored with saiddigital certificate in said data repository.
 11. The system of claim 4wherein the analyser is operable to identify when an eCommercetransaction is occurring and if an eCommerce transaction is identifiedas occurring, to identify in said outbound or said inbound data one ormore of the following data as relevant data: the URL address or e-mailaddress of the remote location to which outbound data is beingtransmitted or inbound data is being received; the web pages accessed bya user of said one or more workstations during the transaction; theamount of the transaction; the goods or services being traded in thetransaction; the date of the transaction; and wherein said relevant datais stored in said data repository.
 12. The system of claim 1 whereinsaid analyser is located on each of said one or more workstations. 13.The system of claim 1 wherein said application is a web browser.
 14. Thesystem of claim 13 wherein said analyser is a plug-in module of said webbrowser.
 15. The system of claim 14 wherein said web browser isMicrosoft's Internet Explorer and said analyser is a Browser HelperObject.
 16. The system of claim 1 wherein said application is an e-mailclient.
 17. The system of claim 16 wherein said analyser is a plug-inmodule of said e-mail client.
 18. The system of claim 17 wherein saide-mail client is Microsoft's Outlook e-mail client and said analyser isa Microsoft Exchange client extension.
 19. The system of claim 1 whereinsaid application is an Instant messaging application.
 20. The system ofclaim 19 wherein said analyser is a plug-in of said Instant messagingapplication.
 21. The system of claim 1 wherein said application is aVoice Messaging application.
 22. The system of claim 21 wherein saidanalyser is a plug-in of said Voice messaging application.
 23. Thesystem of claim 1 wherein said network includes a server and saidanalyser is located at a point on said network intermediate said one ormore workstations and said server, or said analyser is located at saidserver.
 24. The system of claim 1 further comprising a supervisorworkstation, said supervisor workstation having access to said datarepository and being operable to view said relevant data stored in saiddata repository.
 25. The system of claim 24 wherein said policy data isaccessible by said supervisor workstation, such that a user of saidsupervisor workstation can edit said policy data.
 26. The system ofclaim 1 wherein a workstation of said plurality of workstations hasaccess to said data repository and is operable to view said relevantdata stored in said data repository.
 27. The system of claim 1 whereinsaid computer network to which said one or more workstations are adaptedfor connection is a public computer network, arid wherein said one ormore workstations together form a private computer network.
 28. Aninformation management system comprising: a plurality of workstationsadapted for connection to a computer network, each workstation having amemory; storage means for storing data received from each of saidworkstations; application means, stored in said memory of eachworkstation, for transmitting outbound data to said network andreceiving inbound data from said network; policy storage means forproviding policy data containing rules defining relevant data which isto be stored in said storage means; and analysing means, operable inconjunction with said policy means, for monitoring at least one of saidoutbound data and said inbound data, identifying in at least one of saidoutbound data and said inbound data, relevant data that is to be storedin said storage means in accordance with said rules in said policymeans, and causing said relevant data to be stored in said storagemeans.
 29. The system of claim 28 wherein said relevant data that is tobe stored in said storage means is encrypted prior to it beingtransmitted to said storage means.
 30. The system of claim 28 whereinsaid relevant data that is stored in said storage means is encrypted.31. The system of claim 28 wherein said computer network, to which saidone or more workstations are adapted for connection, is the Internet.32. The system of claim 31 wherein said analysing means is operable toidentify, as relevant data, at least one of usernames and passwords usedto identify a user, and usernames and passwords used to access web pageson the Internet, and the URL address of the web page at which thoseusernames and passwords are used, said identified usernames, passwordsand said identified URLs being stored, in said storage means.
 33. Thesystem of claim 32 wherein said analysing means is operable to identifyusernames and passwords from the field names of data contained in atleast one of said outbound data and said inbound data.
 34. The system ofclaim 32 wherein a representation of the input fields of a web page isstored in said memory of said one or more workstations, and wherein saidanalysing means is operable to identify usernames and passwords fromsaid representation.
 35. The system of claim 32 wherein said analysingmeans is operable to identify usernames or passwords from the fieldtypes of data contained in said outbound or said inbound data.
 36. Thesystem of claim 31 wherein said analysing means is operable to identify,as relevant data, digital certificates contained in at least one of saidoutbound or said inbound data or used to digitally sign signed data insaid inbound data or said outbound data, or sufficient descriptive datato identify such digital certificates, said digital certificates and/orsaid descriptive data being stored in said storage means.
 37. The systemof claim 36 wherein said analysing means is operable to identify one ormore of the following data as relevant data: whether or not said digitalcertificate has been revoked; the identity of the holder of said digitalcertificate; the amount of any eCommerce transaction being made that isrelated to said digital certificate; the goods or services being sold inany eCommerce transaction being made with said digital certificate; thedate of receipt of said digital certificate; and wherein said identifieddata is stored with said digital certificate in said storage means. 38.The system of claim 31 wherein the analysing means is operable toidentify when an eCommerce transaction is occurring and if an eCommercetransaction is identified as occurring, to identify in said outbound orsaid inbound data one or more of the following data as relevant data:the URL address or e-mail address of the remote location to whichoutbound data is being transmitted or inbound data is being received;the web pages accessed by a user of said one or more workstations duringthe transaction; the amount of the transaction; the goods or servicesbeing traded in the transaction; the date of the transaction; andwherein said relevant data is stored in said storage means.
 39. Thesystem of claim 28 wherein said analysing means is located on each ofsaid one or more workstations.
 40. The system of claim 28 wherein saidapplication means is a web browser.
 41. The system of claim 40 whereinsaid analysing means is a plug-in module of said web browser.
 42. Thesystem of claim 41 wherein said web browser is Microsoft's InternetExplorer and said analysing means is a Browser Helper Object.
 43. Thesystem of claim 28 wherein said application means is an e-mail client.44. The system of claim 43 wherein said analysing means is a plug-inmodule of said e-mail client.
 45. The system of claim 44 wherein saide-mail client is Microsoft's Outlook e-mail client and said analysingmeans is a Microsoft Exchange client extension.
 46. The system of claim28 wherein said application is an Instant messaging application.
 47. Thesystem of claim 46 wherein said analysing means is a plug-in of saidInstant messaging application.
 48. The system of claim 28 wherein saidapplication means is a Voice Messaging application.
 49. The system ofclaim 48 wherein said analysing means is a plug-in of said Voicemessaging application.
 50. The system of claim 28 wherein said networkincludes a server and said analysing means is located at a point on saidnetwork intermediate said one or more workstations and said server, orsaid analysing means is located at said server.
 51. The system of claim28 further comprising a supervisor workstation, said supervisorworkstation having access to said storage means and being operable toview said relevant data stored in said storage means.
 52. The system ofclaim 51 wherein said policy storage means is accessible by saidsupervisor workstation, such that a user of said supervisor workstationcan edit said policy data.
 53. The system of claim 28 wherein aworkstation of said plurality of workstations has access to said storagemeans and is operable to view said relevant data stored in said storagemeans.
 54. The system of claim 28 wherein said computer network to whichsaid one or more workstations are adapted for connection is a publiccomputer network, and wherein said one or more workstations togetherform a private computer network.
 55. A method of managing informationcomprising the steps of: providing a plurality of workstations adaptedfor connection to a computer network, each workstation having a memory;providing a data repository arranged to receive data from each of saidworkstations; providing an application stored in said memory of eachworkstation for transmitting outbound data to said network and receivinginbound data from said network; providing policy data containing rulesdefining relevant data which is to be stored in said data repository;and analysing at least one of said outbound data and said inbound data,with reference to said policy data, to identify in at least one of saidoutbound data and said inbound data, relevant data that is to be storedin said data repository in accordance with said rules in said policydata; and storing said relevant data in said data repository.
 56. Themethod of claim 55 further comprising the step of encrypting saidrelevant data that is to be stored in said data repository prior to itbeing stored in said data repository.
 57. The method of claim 55 furthercomprising the step of encrypting said relevant data that is stored insaid data repository after it has been stored in said data repository.58. The method of claim 55 wherein said computer network, to which saidone or more workstations are adapted for connection, is the Internet.59. The method of claim 58 wherein in the analysing step, at least oneof usernames and passwords used to identify a user, and usernames andpasswords used access web pages on the Internet, and the URL address ofthose web pages are identified as relevant data.
 60. The method of claim59 wherein in said analysing step, usernames and passwords areidentified from the field names of data contained in at least one ofsaid outbound data and said inbound data.
 61. The method of claim 59wherein a representation of the input fields of a web page is stored insaid memory of said one or more workstations, and wherein in saidanalysing step usernames and passwords are identified from saidrepresentation.
 62. The method of claim 59 wherein in said analysingstep usernames or passwords are identified from the field types of datacontained in said outbound or said inbound data.
 63. The method of claim58 wherein in said analysing step, digital certificates contained in atleast one of said outbound or said inbound data or used to digitallysign signed data in said inbound or said outbound data, are identifiedas relevant data, or sufficient descriptive data to identify suchdigital certificates, is identified as relevant data.
 64. The method ofclaim 63 wherein said analysing step includes identifying one or more ofthe following data as relevant data: whether or not said digitalcertificate has been revoked; the identity of the holder of said digitalcertificate; the amount of any eCommerce transaction being made that isrelated to said digital certificate; the goods or services being sold inany eCommerce transaction being made with said digital certificate; andthe date of receipt of said digital certificate.
 65. The method of claim58 wherein said analysing step includes identifying when an eCommercetransaction is occurring and if an on-line eCommerce transaction isidentified as occurring, identifying in said outbound or said inbounddata one or more of the following data as relevant data: the URL addressor e-mail address of the remote location to which outbound data is beingtransmitted or inbound data is being received; the web pages accessed bya user of said one or more workstations during the transaction; theamount of the transaction; the goods or services being traded in thetransaction; the date of the transaction.
 66. The method of claim 55wherein said analysing step is carried out at said one or moreworkstations.
 67. The method of claim 55 wherein said application is aweb browser.
 68. The method of claim 67 wherein said analysing step isperformed by a plug-in module of said web browser.
 69. The method ofclaim 68 wherein said web browser is Microsoft's Internet Explorer andsaid plug-in module is a Browser Helper Object.
 70. The method of claim55 wherein said application is an e-mail client.
 71. The method of claim70 wherein said analysing step is performed by a plug-in module of saide-mail client.
 72. The method of claim 71 wherein said e-mail client isMicrosoft's Outlook e-mail client and said plug-in module is a MicrosoftExchange client extension.
 73. The method of claim 55 wherein saidapplication is an Instant messaging application.
 74. The method of claim73 wherein said analyser is a plug-in of said Instant messagingapplication.
 75. The method of claim 55 wherein said application is aVoice Messaging application.
 76. The method of claim 75 wherein saidanalysing step is performed by a plug-in of said Voice messagingapplication.
 77. The method of claim 55 wherein said network includes aserver and said analysing step is performed at a point on said networkintermediate said one or more workstations and said server, or saidanalysing step is performed at said server.
 78. The method of claim 55further comprising the step of providing a supervisor workstation, saidsupervisor workstation having access to said data repository and beingoperable to view said relevant data stored in said data repository. 79.The method of claim 78 wherein said policy data is accessible by saidsupervisor workstation, such that a user of said supervisor workstationcan edit said policy data.
 80. The method of claim 55 wherein aworkstation of said plurality of workstations has access to said datarepository and is operable to view said relevant data stored in saiddata repository.
 81. The method of claim 55 wherein said computernetwork to which said one or more workstations are adapted forconnection is a public computer network, and wherein said one or moreworkstations together form a private computer network.
 82. A computerprogram product, for controlling a plurality of computers in a privatenetwork to manage information, the network having a data repositoryarranged to receive data from the plurality of computers and policy datacontaining rules defining relevant data which is to be extracted from atleast one of outbound data transmitted to a public network or inbounddata received from the public network and stored in the data repository,comprising: a recording medium readable by the computer, having programcode recorded thereon which when executed on each of said plurality ofcomputers, configures said computers to: analyse, in conjunction with anapplication running on each of said computers that is operable totransmit the outbound data and receive the inbound data, at least one ofsaid outbound data and said inbound data, with reference to said policydata, to identify in at least one of said outbound data and said inbounddata, relevant data that is to be stored in said data repository inaccordance with said rules in said policy data; and cause said relevantdata to be stored in said data repository.
 83. The computer programproduct of claim 82 wherein said program code when executed on saidcomputer is operable to cause said relevant data that is to be stored insaid data repository to be encrypted prior to it being stored in saiddata repository.
 84. The computer program product of claim 82 whereinsaid program code when executed on said computer is operable to causesaid relevant data that is stored in said data repository to beencrypted.
 85. The computer program product of claim 82 wherein saidapplication is adapted to-transmit outbound data to the Internet andreceive inbound data from the Internet.
 86. The computer program productof claim 85 wherein at least one of usernames and passwords used toidentify a user,,and usernames and passwords used to access web pages onthe Internet, and the URL address of those web pages, are identified asrelevant data.
 87. The computer program product of claim 86 whereinusernames and passwords are identified from the field names of datacontained in at least one of said outbound data and said inbound data.88. The computer program product of claim 86 wherein a representation ofthe input fields of a web page is stored in said memory of said one ormore workstations, and wherein said usernames and passwords areidentified from said representation.
 89. The computer program product ofclaim 86 wherein usernames or passwords are identified from the fieldtypes of data contained in said outbound or said inbound data.
 90. Thecomputer program product of claim 85 wherein digital certificatescontained in at least one of said outbound or said inbound data or usedto digitally sign signed data in said inbound data or said outbounddata, or sufficient descriptive data to identify any such digitalcertificates, are identified as relevant data.
 91. The computer programproduct of claim 90 wherein one or more of the following data areidentified as relevant data: whether or not said digital certificate hasbeen revoked; the identity of the holder of said digital certificate;the amount of any eCommerce transaction being made that is related tosaid digital certificate; the goods or services being sold in anyeCommerce transaction being made with said digital certificate; and thedate of receipt of said digital certificate
 92. The computer programproduct of claim 85 wherein the program code when executed on saidcomputer is further operable to: identify when an eCommerce transactionis occurring; and if an eCommerce transaction is identified asoccurring, to identify in said outbound or said inbound data one or moreof the following data as relevant data: the URL address or e-mailaddress of the remote location to which outbound data is beingtransmitted or inbound data is being received; the web pages accessed bya user of said one or more workstations during the transaction; theamount of the transaction; the goods or services being traded in thetransaction; and the date of the transaction.
 93. The computer programproduct of claim 82 wherein said program code is executable at each ofsaid computers.
 94. The computer program product of claim 82 whereinsaid application is a web browser.
 95. The computer program product ofclaim 94 wherein said program code when executed on said computer is aplug-in module of said web browser.
 96. The computer program product ofclaim 95 wherein said web browser is Microsoft's Internet Explorer andsaid plug-in module is a Browser Helper Object.
 97. The computer programproduct of claim 82 wherein said application is an e-mail client. 98.The computer program product of claim 97 wherein said program code whenexecuted on said computer is a plug-in module of said e-mail-client. 99.The computer program product of claim 98 wherein said e-mail client isMicrosoft's Outlook e-mail client and said plug-in module is a MicrosoftExchange client extension.
 100. The computer software product of claim82 wherein said application is an Instant messaging application. 101.The computer software product of claim 100 wherein said program codewhen executed on said computer is a plug-in of said Instant messagingapplication.
 102. The computer software product of claim 82 wherein saidapplication is a Voice Messaging application.
 103. The computer softwareproduct of claim 102 wherein said program code when executed on saidcomputer is a plug-in of said Voice messaging application.
 104. Thecomputer program product of claim 82 wherein said network includes aserver and said program code is executable at a point on said networkintermediate said one or more workstations and said server, or saidprogram code is executable at said server.
 105. The computer programproduct of claim 82 further comprising program code recorded on therecording medium which when executed on a computer in said plurality ofcomputers enables that computer as a supervisor workstation, saidsupervisor workstation having access to said data repository and beingoperable to view said relevant data stored in said data repository. 106.The computer program product of claim 105 wherein said policy data isaccessible by said supervisor workstation, such that a user of saidsupervisor workstation can edit said policy data.
 107. The computerprogram product of claim 82 further comprising program code recorded onthe recording medium which when executed on a computer in said pluralityof computers provides that computer with access to said data repositorysuch that a users of said computer can view said relevant data stored insaid data repository.
 108. A system for recording passwords andusernames comprising: a plurality of workstations adapted for connectionto the Internet, each workstation having a memory; a data repositoryarranged to receive data from each of said workstations; an applicationstored in said memory of each workstation for transmitting outbound dataand receiving inbound data from the Internet; and/or an application forreceiving user input data; and an analyser, said analyser being operableto monitor at least one of said input data, said outbound data and saidinbound data, to identify usernames and passwords contained in said userinput data, said outbound data or said inbound data, and to cause saidusernames and passwords to be stored in said data repository.
 109. Thesystem of claim 108 wherein said analyser is operable to determinewhether the usernames and passwords are used to access a web page, andif they are, to identify the URL address of said web page and cause saidURL to be stored in said data repository with said usernames andpasswords.
 110. The system of claim 108 wherein said relevant usernamesand passwords data are encrypted prior to being transmitted to said datarepository.
 111. The system of claim 108 wherein said relevant usernamesand passwords that are stored in said data repository are encrypted.112. The system of claim 108 wherein said analyser is operable toidentify said relevant usernames and passwords from the field names ofdata contained in at least one of said outbound data or said inbounddata.
 113. The system of claim 108 wherein a representation of the inputfields of a web page is stored in said memory of said one or moreworkstations, and wherein said analyser is operable to identify saidrelevant usernames and passwords from said representation.
 114. Thesystem of claim 108 wherein said analyser is operable to identify saidrelevant usernames or passwords from the field types of data containedin said outbound or said inbound data.
 115. The system of claim 108wherein said application has a user interface provided with a ‘rememberpassword’ option which when selected stores input usernames andpasswords in memory, and said analyser is operable to identify saidrelevant usernames and passwords in said input usernames and passwordsstored in memory.
 116. The system of claim 108 wherein said analyser islocated on each of said one or more workstations.
 117. The system ofclaim 108 wherein said application is a web browser.
 118. The system ofclaim 117 wherein said analyser is a plug-in module of said web browser.119. The system of claim 118 wherein said web browser is Microsoft'sInternet Explorer and said analyser is a Browser Helper Object.
 120. Thesystem of claim 108 wherein said application is an Instant messagingapplication.
 121. The system of claim 120 wherein said analyser is aplug-in of said Instant messaging application.
 122. The system of claim108 wherein said network comprises a server and said analyser is locatedat a point on said network intermediate said one or more workstationsand said server, or said analyser is located at said server.
 123. Thesystem of claim 108 further comprising a supervisor workstation, saidsupervisor workstation having access to said data repository and beingoperable to view said relevant usernames and passwords stored in saiddata repository.
 124. The system of claim 108 wherein a workstation ofsaid plurality of workstations has access to said data repository and isoperable to view said relevant and passwords usernames stored in saiddata repository.
 125. A system for recording passwords and usernamescomprising: a plurality of workstations adapted for connection to theInternet, each workstation having a memory; storage means for receivingdata from each of said workstations; application means, stored in saidmemory of each workstation, for transmitting outbound data and receivinginbound data from the Internet; and/or application means for receivinguser input data; and analysing means for monitoring at least one of saidinput data, said outbound data and said inbound data, to identifyusernames and passwords contained in said user input data, said outbounddata or said inbound data, and for causing said usernames and passwordsto be stored in said storage means.
 126. The system of claim 125 whereinsaid analysing means is operable to determine whether the usernames andpasswords are used to access a web page, and if they are, to identifythe URL address of said web page and cause said URL to be stored in saidstorage means with said usernames and passwords.
 127. The system ofclaim 125 wherein said relevant usernames and passwords data areencrypted prior to being transmitted to said storage means.
 128. Thesystem of claim 125 wherein said relevant usernames and passwords thatare stored in said storage means are encrypted.
 129. The system of claim125 wherein said analysing means is operable to identify said relevantusernames and passwords from the field names of data contained in atleast one of said outbound data or said inbound data.
 130. The system ofclaim 125 wherein a representation of the input fields of a web page isstored in said memory of said one or more workstations, and wherein saidanalysing means is operable to identify said relevant usernames andpasswords from said representation.
 131. The system of claim 125 whereinsaid analysing means is operable to identify said relevant usernames orpasswords from the field types of data contained in said outbound orsaid inbound data.
 132. The system of claim 125 wherein said applicationmeans has a user interface provided with a ‘remember password’ optionwhich when selected stores input usernames and passwords in memory, andsaid analysing means is operable to identify said relevant usernames andpasswords in said input usernames and passwords stored in memory. 133.The system of claim 125 wherein said analysing means is located on eachof said one or more workstations.
 134. The system of claim 125 whereinsaid application means is a web browser.
 135. The system of claim 134wherein said analysing means is a plug-in module of said web browser.136. The system of claim 135 wherein said web browser is Microsoft'sInternet Explorer and said analysing means is a Browser Helper object.137. The system of claim 125 wherein said application is an Instantmessaging application.
 138. The system of claim 137 wherein saidanalyser is a plug-in of said Instant messaging application.
 139. Thesystem of claim 125 wherein said network comprises a server and saidanalyser is located at a point on said network intermediate said one ormore workstations and said server, or said analysing means is located atsaid server.
 140. The system of claim 125 further comprising asupervisor workstation, said supervisor workstation having access tosaid storage means and being operable to view said relevant usernamesand passwords stored in said storage means.
 141. The system of claim 125wherein a workstation of said plurality of workstations has access tosaid storage means and is operable to view said relevant usernames andpasswords stored in said storage means.
 142. A method for recordingpasswords and usernames comprising the steps of: providing a pluralityof workstations adapted for connection to the Internet, each workstationhaving a memory; providing a data repository arranged to receive datafrom each of said workstations; providing an application stored in saidmemory of each workstation for transmitting outbound data and receivinginbound data from the Internet; and/or an application for receiving userinput data; and analysing at least one of said user input data, saidoutbound data and said inbound data, to identify usernames andpasswords; and causing said usernames and passwords to be stored in saiddata repository.
 143. The method of claim 142 further comprising thesteps of determining whether the usernames and passwords are used toaccess a web page, and if they are, identifying the URL address of saidweb page, and storing said URL in said data repository with saidusernames and passwords.
 144. The method of claim 142 further comprisingthe step of encrypting usernames and passwords prior to being stored insaid data repository.
 145. The method of claim 142 further comprisingthe step of encrypting the usernames and passwords that are stored insaid data repository.
 146. The method of claim 142 wherein in saidanalysing step usernames and passwords are identified from the fieldnames of data contained in at least one of said outbound data or saidinbound data.
 147. The method of claim 142 wherein a representation ofthe input fields of a web page is stored in said memory of saidworkstation, and wherein in said analyser step usernames and passwordsare identified from said representation.
 148. The method of claim 142wherein in said analysing step usernames and passwords are identifiedfrom the field types of data contained in said outbound or said inbounddata.
 149. The method of claim 142 wherein said application has a userinterface provided with a ‘remember password’ option which when selectedstores input usernames and passwords in said memory of said one or moreworkstations, and wherein in said analysing step usernames and passwordsare identified from said input usernames and passwords stored in saidmemory of said one or more workstations.
 150. The method of claim 142wherein said analysing step is performed on said one or moreworkstations.
 151. The method of claim 142 wherein said application is aweb browser.
 152. The method of claim 151 wherein said analysing step isperformed by a plug-in module of said web browser.
 153. The method ofclaim 152 wherein said web browser is Microsoft's Internet Explorer andsaid plug-in module is a Browser Helper Object.
 154. The method of claim142 wherein said application is an Instant messaging application. 155.The method of claim 154 wherein said analyser is a plug-in of saidInstant messaging application.
 156. The method of claim 142 wherein saidnetwork comprises a server and said analysing step is performed at apoint on said network intermediate said one or more workstations andsaid server, or said analysing step is performed at said server. 157.The method of claim 142 further comprising the step of providing asupervisor workstation, said supervisor workstation having access tosaid data repository and being operable to view said relevant usernamesand passwords stored in said data repository.
 158. The method of claim142 wherein a computer of said plurality of computers has access to saiddata repository and is operable to view said relevant usernames andpasswords stored in said data repository.
 159. A computer programproduct, for controlling a plurality of computers in a private networkto record passwords and usernames, the network having a data repositoryarranged to receive data from the plurality of computers, said computerprogram product comprising: a recording medium readable by the computer,having program code recorded thereon which when executed on each of saidplurality of computers, configures said computers to: analyse, inconjunction with an application running on the computer that is operableto transmit outbound data to the Internet and receive inbound data fromthe Internet, and/or an application running on the computer forreceiving user input data, at least one of said user input data, saidoutbound data and said inbound data, to identify in at least one of saiduser input data, said outbound data and said inbound data, relevant datathat is to be stored in said data repository; and control said computerto store said relevant data in said data repository.
 160. The computerprogram product of claim 159 wherein said program code when executed onsaid computer is further operable to determine whether the usernames andpasswords are used to access a web page, and if they are, to identifythe URL address of said web page and to direct the computer to storesaid URL in said data repository with said usernames and passwords. 161.The computer program product of claim 159 wherein said program code whenexecuted on said computer is further operable to cause said usernamesand passwords to be encrypted prior to them being stored in said datarepository.
 162. The computer program product of claim 159 wherein saidprogram code when executed on said computer is further operable to causesaid usernames and passwords that are stored in said data repository tobe encrypted.
 163. The computer program product of claim 159 whereinsaid program code when executed on said computer is operable to identifyusernames and passwords from the field names of data contained in atleast one of said outbound data or said inbound data.
 164. The computerprogram product of claim 159 wherein a representation of the inputfields of a web page is stored in the memory of said computer, andwherein said program code when executed on said computer is operable toidentify usernames and passwords from said representation.
 165. Thecomputer program product of claim 159 wherein said program code whenexecuted on said computer is further operable to identify usernames andpasswords from the field types of data contained in said outbound orsaid inbound data.
 166. The computer program product of claim 159wherein said application for receiving user input data has a userinterface provided with a ‘remember password’ option which when selectedstores input usernames and passwords in said memory of said computer,and wherein said program code when executed on said computer is operableto identify usernames and passwords from said input usernames andpasswords stored in said memory of said computer.
 167. The computerprogram product of claim 159 wherein said program code is executable ateach of said computers.
 168. The computer program product of claim 159wherein said application is a web browser.
 169. The computer programproduct of claim 168 wherein said program code when executed on saidcomputer is a plug-in module of said web browser.
 170. The computerprogram product of claim 169 wherein said web browser is Microsoft'sInternet Explorer and said plug-in module is a Browser Helper Object.171. The computer software product of claim 159 wherein said applicationis an Instant messaging application.
 172. The computer software productof claim 171 wherein said program code when executed on said computer isa plug-in of said Instant messaging application.
 173. The computerprogram product of claim 159 wherein said network comprises a server andsaid program code is executable at a point on said network intermediatesaid computer and said server, or said program code is executable atsaid server.
 174. The computer program product of claim 159 furthercomprising program code which when executed on said computer enablesthat computer as a supervisor workstation, said supervisor workstationhaving access to said data repository and being operable to view saidrelevant usernames and passwords stored in said data repository. 175.The computer program product of claim 159 wherein a computer of saidplurality of computers has access to said data repository and isoperable to view said relevant usernames and passwords stored in saiddata repository.
 176. An information management system comprising: oneor more workstations adapted for connection to a computer network, eachworkstation having a memory; an application stored in said memory ofeach workstation for transmitting( outbound data to said network andreceiving inbound data from said network; policy data containing rulesspecifying an appropriate encryption strength for outbound data, theencryption strength depending on the content of the data; and ananalyser, said analyser being operable in conjunction with said policydata to monitor said outbound data and to determine, in accordance withsaid rules in said policy data, an appropriate encryption strength forthe outbound data; wherein said analyser controls transmission of saidoutbound data from said application in dependence upon saiddetermination of an appropriate encryption strength.
 177. The system ofclaim 176 wherein said rules in said policy data define confidentialdata which can not be transmitted, said analyser being operable inconjunction with said policy data to prevent said confidential databeing transmitted from said application.
 178. The system of claim 176wherein said analyser is further operable to determine the presentencryption strength in use for transmitting said outbound data; andwherein said analyser controls transmission of said outbound data fromsaid application both in dependence upon said determination of anappropriate encryption strength and in dependence upon saiddetermination of the present encryption strength in use.
 179. The systemof claim 178 wherein if the analyser determines that the presentencryption strength in use for transmitting outbound data is less thansaid appropriate encryption strength, then said analyser preventstransmission of said outbound data from said application.
 180. Thesystem of claim 178 wherein if the analyser determines that the presentencryption strength in use for transmitting outbound data is less thansaid appropriate encryption strength, then said analyser preventstransmission of said outbound data from said application and controlssaid application to renegotiate an encryption strength for transmissionthat is appropriate.
 181. The system of claim 178 wherein if theanalyser determines that the present encryption strength in use fortransmitting outbound data is less than said appropriate encryptionstrength, then said analyser modifies the outbound data such that thepresent encryption strength is an appropriate encryption strength forthe transmission of the modified outbound data.
 182. The system of claim178 wherein if the analyser determines that the present encryptionstrength in use for transmitting outbound data is less than saidappropriate encryption strength, then said analyser controls saidapplication to notify a user of said application that the encryptionstrength in use is not sufficient.
 183. The system of claim 176 whereinthe analyser is further operable to identify credit card numbers in saidoutbound data.
 184. The system of claim 183 wherein the analyser isfurther operable to distinguish a predetermined set of credit cardnumbers from other credit card numbers, wherein said rules of saidpolicy data define different appropriate encryption strengths foroutbound data containing credit card numbers in the predetermined setthan for other credit card numbers.
 185. The system of claim 184 whereinsaid rules of said policy data specify that there is no appropriateencryption strength for a pre-determined set of one or more credit cardnumbers.
 186. The system of claim 176 wherein said analyser is furtheroperable to identify at least one or more of, credit card numbers,account codes, usernames, passwords, names and addresses and otherpredetermined. keywords in the content of said outbound data.
 187. Thesystem of claim 176 wherein said rules in said policy data specify anappropriate encryption strength for said outbound data, that isdependent on the address to which said outbound data is to betransmitted.
 188. The system of claim 176 wherein said analyser islocated on each of said one or more workstations.
 189. The system ofclaim 176 wherein said application is a web browser.
 190. The system ofclaim 189 wherein said analyser is a plug-in module of said web browser.191. The system of claim 190 wherein said web browser is Microsoft'sInternet Explorer and said analyser is a Browser Helper Object.
 192. Thesystem of claim 176 wherein said application is an e-mail client. 193.The system of claim 192 wherein said analyser is a plug-in module ofsaid e-mail client.
 194. The system of claim 193 wherein said e-mailclient is Microsoft's Outlook e-mail client and said analyser is aMicrosoft client extension.
 195. The system of claim 176 wherein saidapplication is an Instant messaging application.
 196. The system ofclaim 195 wherein said analyser is a plug-in of said Instant messagingapplication.
 197. The system of claim 176 wherein said network comprisesa server and said analyser is located at a point on said networkintermediate said one or more workstations and said server, or saidanalyser is located at said server.
 198. The system of claim 176 whereinsaid computer network to which said one or more workstations are adaptedfor connection is a public computer network, and wherein said one ormore workstations together form a private computer network.
 199. Thesystem of claim 176 further comprising a supervisor workstation, saidpolicy data being accessible by said supervisor workstation, such that auser of said supervisor workstation can edit said policy data.
 200. Aninformation management system comprising: one or more workstationsadapted for connection to a computer network, each workstation having amemory; application means, stored in said memory of each workstation,for transmitting outbound data to said network and receiving inbounddata from said network; policy storage means, for storing policy datacontaining rules specifying an appropriate encryption strength foroutbound data, the encryption strength depending on the content of thedata; and analysing means, operable in conjunction with said policydata, for monitoring said outbound data to determine, in accordance withsaid rules in said policy data, an appropriate encryption strength forthe outbound data; wherein said analysing means controls transmission ofsaid outbound data from said application means in dependence upon saiddetermination of an appropriate encryption strength.
 201. The system ofclaim 200 wherein said rules in said policy data define confidentialdata which can not be transmitted, said analysing means being operablein conjunction with said policy data to prevent said confidential databeing transmitted from said application means.
 202. The system of claim200 wherein said analysing means is further operable to determine thepresent encryption strength in use for transmitting said outbound data;and wherein said analysing means controls transmission of said outbounddata from said application means both in dependence upon saiddetermination of an appropriate encryption strength and in dependenceupon said determination of the present encryption strength in use. 203.The system of claim 202 wherein if the analysing means determines thatthe present encryption strength in use for transmitting outbound data isless than said appropriate encryption strength, then said analysingmeans prevents transmission of said outbound data from said applicationmeans.
 204. The system of claim 202 wherein if the analysing meansdetermines that the present encryption strength in use for transmittingoutbound data is less than said appropriate encryption strength, thensaid analysing means prevents transmission of said outbound data fromsaid application means and controls said application to renegotiate anencryption strength for transmission that is appropriate.
 205. Thesystem of claim 202 wherein if the analysing means determines that thepresent encryption strength in use for transmitting outbound data isless than said appropriate encryption strength, then said analysingmeans modifies the outbound data such that the present encryptionstrength is an appropriate encryption strength for the transmission ofthe modified outbound data.
 206. The system of claim 202 wherein if theanalysing means determines that the present encryption strength in usefor transmitting outbound data is less than said appropriate encryptionstrength, then said analysing means controls said application means tonotify a user of said application means that the encryption strength inuse is not sufficient.
 207. The system of claim 200 wherein theanalysing means is further operable to identify credit card numbers insaid outbound data.
 208. The system of claim 207 wherein the analysingmeans is further operable to distinguish a predetermined set of creditcard numbers from other credit card numbers, wherein said rules of saidpolicy data define different appropriate encryption strengths foroutbound data containing credit card numbers in the predetermined setthan for other credit card numbers.
 209. The system of claim 208 whereinsaid rules of said policy data specify that there is no appropriateencryption strength for a pre-determined set of one or more credit cardnumbers.
 210. The system of claim 200 wherein said analysing means isfurther operable to identify at least one or more of, credit cardnumbers, account codes, usernames, passwords, names and addresses andother predetermined keywords in the content of said outbound data. 211.The system of claim 200 wherein, said rules in said policy data specifyan appropriate encryption strength for said outbound data, that isdependent on the address to which said outbound data is to betransmitted.
 212. The system of claim 200 wherein said analysing meansis located on each of said one or more workstations.
 213. The system ofclaim 200 wherein said application means is a web browser.
 214. Thesystem of claim 213 wherein said analysing means is a plug-in module ofsaid web browser.
 215. The system of claim 214 wherein said web browseris Microsoft's Internet Explorer and said analysing means is a BrowserHelper Object.
 216. The system of claim 200 wherein said applicationmeans is an e-mail client.
 217. The system of claim 216 wherein saidanalysing means is a plug-in module of said e-mail client.
 218. Thesystem of claim 217 wherein said e-mail client is Microsoft's Outlooke-mail client and said analysing means is a Microsoft client extension.219. The system of claim 200 wherein said application is an Instantmessaging application.
 220. The system of claim 219 wherein saidanalyser is a plug-in of said Instant messaging application.
 221. Thesystem of claim 200 wherein said network comprises a server and saidanalysing means is located at a point on said network intermediate saidone or more workstations and said server, or said analysing means islocated at said server.
 222. The system of claim 200 wherein saidcomputer network to which said one or more workstations are adapted forconnection is a public computer network, and wherein said one or moreworkstations together form a private computer network.
 223. The systemof claim 200 further comprising a supervisor workstation, said policydata being accessible by said supervisor workstation, such that a userof said supervisor workstation can edit said policy data.
 224. A methodof managing information comprising the steps of: providing one or moreworkstations adapted for connection to a computer network, eachworkstation having a memory; providing an application stored in saidmemory of each workstation for transmitting outbound data to saidnetwork and receiving inbound data from said network; providing policydata containing rules specifying an appropriate encryption strength foroutbound data, the encryption strength depending on the content of thedata; and analysing said outbound data to determine, in accordance withsaid rules in said policy data, an appropriate encryption strength forthe outbound data; controlling transmission of said outbound data fromsaid application in dependence upon the determination of an appropriateencryption strength in said analysing step.
 225. The method of claim 224wherein said rules in said policy data define confidential data whichcannot be transmitted, and wherein in said controlling step transmissionof said confidential data is prevented.
 226. The method of claim 224wherein said analysing step further comprising the step of determiningthe present encryption strength in use for transmitting said outbounddata; and wherein in said controlling step the transmission of saidoutbound data from said application is dependent upon both thedetermination of an appropriate encryption strength and thedetermination of the present encryption strength in use.
 227. The methodof claim 226 wherein if it is determined that the present encryptionstrength in use for transmitting outbound data is less than saidappropriate encryption strength, then in said controlling steptransmission of said outbound data from said application is prevented.228. The method of claim 226 wherein if in said analysing step it isdetermined that the present encryption strength in use for transmittingoutbound data is less than said appropriate encryption strength, then insaid controlling step an encryption strength appropriate fortransmission of said outbound data is negotiated before transmission.229. The method of claim 226 wherein if in said analysing step it isdetermined that the present encryption strength in use for transmittingoutbound data is less than, said appropriate encryption strength, thenin said controlling step the outbound data is modified such that thepresent encryption strength is an appropriate encryption strength. 230.The method of claim 226 wherein in said analysing step if it isdetermined that the present encryption strength in use for transmittingoutbound data is less than said appropriate encryption strength, then insaid controlling step a user of said application is notified that theencryption strength in use is not sufficient.
 231. The method of claim226 wherein said analysing step includes identifying credit card numbersin said outbound data.
 232. The method of claim 231 wherein saidanalysing step includes distinguishing a pre-determined set of one ormore credit card numbers from other credit card numbers, and whereinsaid rules of said policy data define a different appropriate encryptionstrength for outbound data containing credit card numbers in thatpre-determined set than for other credit card numbers.
 233. The methodof claim 232 wherein said rules of said policy data specifies that thereis no appropriate encryption strength for said pre-determined set of oneor more credit card numbers.
 234. The method of claim 224 wherein saidanalysing step includes identifying at least one or more of, credit cardnumbers, account codes, usernames, passwords, names and addresses andother predetermined keywords in the content of said outbound data. 235.The method of claim 224 wherein said rules in said policy data specifyan appropriate encryption strength for said outbound data, that isdependent on the address to which said outbound data is to betransmitted.
 236. The method of claim 224 wherein said analysing step isperformed at said one or more workstations.
 237. The method of claim 224wherein said application is a web browser.
 238. The method of claim 237wherein said analysing step is performed by a plug-in module of said webbrowser.
 239. The method of claim 238 wherein said web browser isMicrosoft's Internet Explorer and said plug-in module is a BrowserHelper Object.
 240. The method of claim 224 wherein said application isan e-mail client.
 241. The method of claim 240 wherein said analysingstep is performed by a plug-in module of said e-mail client.
 242. Themethod of claim 241 wherein said e-mail client is Microsoft's Outlooke-mail client and said plug-in module is a Microsoft Exchange clientextension.
 243. The method of claim 224 wherein said application is anInstant messaging application.
 244. The method of claim 243 wherein saidanalyser is a plug-in of said Instant messaging application.
 245. Themethod of claim 224 wherein said network comprises a server and saidanalysing step is performed at a point on said network intermediate saidone or more workstations and said server, or said analysing step isperformed at said server.
 246. The method of claim 224 wherein saidcomputer network to which said one or more workstations are adapted forconnection is a public computer network, and wherein said one or moreworkstations together form a private computer network.
 247. The methodof claim 224 further comprising the step of providing a supervisorworkstation, said policy data being accessible by said supervisorworkstation, such that a user of said supervisor workstation can editsaid policy data.
 248. A computer program product for controlling acomputer connected to a public network to manage information, thecomputer having access to policy data containing rules specifying anappropriate encryption strength for outbound data transmitted to thepublic network, the encryption strength depending on the content of thedata, comprising: a recording medium readable by the computer, havingprogram code recorded thereon which when executed on said computer,configures said computer to: determine, in conjunction with anapplication running on the computer that is operable at least totransmit outbound data to said public network, with reference to saidrules in said policy data, an appropriate encryption strength for theoutbound data; and control the transmission of said outbound data bysaid application in dependence upon the determination of an appropriateencryption strength.
 249. The computer program product of claim 248wherein said rules in said policy data define confidential data whichcannot be transmitted, wherein said program code when executed on saidcomputer is operable to prevent transmission of said confidential datafrom said application.
 250. The computer program product of claim 248wherein said program code when executed on said computer is furtheroperable to determine the present encryption strength in use fortransmitting said outbound data; and to control the transmission of saidoutbound data from said application in dependence upon both thedetermination of an appropriate encryption strength and thedetermination of the present encryption strength in use.
 251. Thecomputer program product of claim 250 wherein said program code whenexecuted on said computer is further operable, if it is determined thatthe present encryption strength in use for transmitting outbound data isless than said appropriate encryption strength, to prevent thetransmission of said outbound data from said application.
 252. Thecomputer program product of claim 250 wherein said program code whenexecuted on said computer is further operable, if it is determined thatthe present encryption strength in use for transmitting outbound data isless than said appropriate encryption strength, to negotiate anappropriate encryption. strength for transmission of said outbound databefore transmission.
 253. The computer program product of claim 250wherein said program code when executed on said computer is furtheroperable, if it is determined that the present encryption strength inuse for transmitting outbound data is less than said appropriateencryption strength, to modify the outbound data such that the presentencryption strength is an appropriate encryption strength.
 254. Thecomputer program product of claim 250 wherein said program code whenexecuted on said computer is further operable, if it is determined thatthe present encryption strength in use for transmitting outbound data isless than said appropriate encryption strength, to provide notificationthat the encryption strength in use is not sufficient.
 255. The computerprogram product of claim 248 wherein said program code when executed onsaid computer is further operable to identify credit card numbers insaid outbound data.
 256. The computer program product of claim 255wherein said program code when executed on said computer is furtheroperable to identify a pre-determined set of one or more credit cardnumbers from other credit card numbers, and wherein said rules of saidpolicy data define a different appropriate encryption strength foroutbound data containing credit card numbers in that pre-determined setthan for other credit card numbers.
 257. The computer program product ofclaim 256 wherein said rules of said policy data specifies that there isno appropriate encryption strength for said pre-determined set of one ormore credit card numbers.
 258. The computer program product of claim 248wherein said program code when executed on said computer is furtheroperable, to identify at least one or more of, credit card numbers,account codes, usernames, passwords, names and addresses and otherpredetermined keywords in the content of said outbound data.
 259. Thecomputer program product of claim 248 wherein said rules in said policydata specify an appropriate encryption strength for said outbound data,that is dependent on the address to which said outbound data is to betransmitted.
 260. The computer program product of claim 248 wherein saidprogram code is executable on said computer.
 261. The computer programproduct of claim 248 wherein said application is a web browser.
 262. Thecomputer program product of claim 261 wherein said program code whenexecuted on said computer is a plug-in module of said web browser. 263.The computer program product of claim 262 wherein said web browser isMicrosoft's Internet Explorer and said plug-in module is a BrowserHelper Object.
 264. The computer program product of claim 248 whereinsaid application is an e-mail client.
 265. The computer program productof claim 264 wherein said program code when executed on said computer isa plug-in module of said e-mail client.
 266. The computer programproduct of claim 265 wherein said e-mail client is Microsoft's Outlooke-mail client and said plug-in module is a Microsoft Exchange clientextension.
 267. The computer software product of claim 248 wherein saidapplication is an Instant messaging application.
 268. The computersoftware product of claim 267 wherein said program code when executed onsaid computer is a plug-in of said Instant messaging application. 269.The computer program product of claim 248 wherein said network includesa server and said program code is executable at a point on said networkintermediate said one or more workstations and said server, or programcode is executable at said server.
 270. An information management systemcomprising: a plurality of client workstations adapted for connection toa computer network, each workstation having a memory; a data repositoryarranged to receive data from each of said client workstations; anapplication stored in said memory of each workstation for transmittingoutbound data to said network and receiving inbound data from saidnetwork; policy data defining rules for the recording of data that maycomprise part of a transaction conducted between a client workstationand a third party across said computer network; an analyser, saidanalyser being operable in conjunction with said policy data to analyseat least one of said outbound data and said inbound data, to identifythe existence of a transaction occurring between a client workstationand a third party by analysing said outbound or said inbound data, andto cause transaction data that is all or part of said outbound data orsaid inbound data related to an identified transaction to be stored insaid data repository.
 271. The system of claim 270 wherein said analyseris operable to determine whether a secure link has been negotiatedbetween said application and a remote site on said network, and toidentify the existence of a transaction if said outbound data or saidinbound data is transmitted on a secure link.
 272. The system of claim271 wherein said network is the Internet, and said rules of said policydata define the addresses of non-eCommerce web sites and/ornon-eCommerce e-mail accounts, said analyser being operable to disregardany transactions that are identified between a client workstation and anon-eCommerce web site and/or e-mail account such that no transactiondata related to a transaction made to a non-eCommerce web sites or anon-eCommerce e-mail account is stored in the data repository.
 273. Thesystem of claim 270 wherein said analyser is operable to identify theexistence of a transaction by reference to said rules of said policydata, said rules of said policy data defining the addresses of knowneCommerce locations.
 274. The system of claim 270 wherein said analyseris operable to identify credit card numbers, and to identify theexistence of a transaction by identifying credit card numbers in saidoutbound data or inbound data.
 275. The system of claim 270 wherein saidanalyser is operable to identify the existence of a transaction byreference to said rules of said policy data, said rules of said policydata defining one or more of pre-determined digital certificates,account codes, pre-determined keywords, pre-determined names andaddresses and embedded codes.
 276. The system of claim 270 wherein saidanalyser is operable to identify embedded codes in said inbound data,said embedded code having been placed in said inbound data to identifyit as transaction data.
 277. The system of claim 270 wherein saidanalyser is operable to identify electronic receipts, and to identifythe existence of a transaction by identifying an electronic receipt insaid outbound or inbound data.
 278. The system of claim 270 wherein saidanalyser is operable to record a pre-determined number of subsequenttransmission of said outbound data or said inbound data following anidentification of the existence of a transaction by said analyser,providing that the address or organisation to which the subsequenttransmissions are sent, or from which they are received, is the same asthe address or organisation to which the outbound data was sent or fromwhich the inbound data was received and in which the existence of atransaction was identified.
 279. The system of claim 278, wherein saidanalyser is operable to detect one or more indicators of the nature ofthe transaction, and said rules of said policy data define the number ofsubsequent transmissions of said outbound data and said inbound datathat are to be recorded in said data repository based on the identifiednature of the transaction.
 280. The system of claim 278 wherein saidrules of said policy data define the number of subsequent transmissionsof said outbound and said inbound data that are to be stored in saiddata repository in dependence on the indicator by which the existence ofa transaction was identified.
 281. The system of claim 270 wherein saidanalyser is operable to record all subsequent transmissions of saidoutbound data or said inbound data that occur within a pre-determinedamount of time following an identification of the existence of atransaction by said analyser, providing that the address or organisationto which the subsequent transmissions are sent, or from which they arereceived, is the same as the address or organisation to which theoutbound data was sent or from which the inbound data was received andin which the existence of a transaction was identified.
 282. The systemof claim 281, wherein said analyser is operable to detect one or moreindicators of the nature of the transaction, and said rules of saidpolicy data define the amount of time for which all subsequenttransmissions of said outbound data and said inbound data are to berecorded in said data repository based on the identified nature of thetransaction.
 283. The system of claim 281 wherein said rules of saidpolicy data define the amount of time for which subsequent transmissionsof said outbound and said inbound data are to be stored in said datarepository in dependence on the indicator by which the existence of atransaction was identified.
 284. The system of claim 270 wherein saidanalyser is further operable to identify the completion of a transactionby analysing said outbound data or said inbound data, and to cause allor part of said outbound data transmitted by said application and all orpart of said inbound data received by said application after saidanalyser has identified the existence of a transaction and before saidanalyser has identified the completion of a transaction to be stored insaid data repository.
 285. The system of claim 284 wherein said analyseris operable to identify subsequent related data in said outbound datatransmitted by said application and said inbound data received by saidapplication after said analyser has identified the completion of atransaction, and to cause said subsequent related data to be stored insaid data repository with said transaction data already identified. 286.The system of claim 285 wherein said analyser is operable to identifysaid subsequent related data by identifying common indicators in bothsaid transaction data already identified and said outbound datatransmitted by said application and said inbound data received by saidapplication after said analyser has identified the completion of atransaction, said common indicators being one or more of the address ofthe location to which said outbound data is transmitted or from whichsaid inbound data is received, part of the data path to the location towhich said outbound data is transmitted or from which said inbound datais received, account code or reference numbers.
 287. The system of claim270 wherein said application is operable such that a user of saidapplication can indicate said outbound and said inbound data that isrelated to a transaction said analyser being operable to identify saidoutbound and said inbound data so indicated.
 288. The system of claim270 wherein said application is operable to store all of said outbounddata and said inbound data in said memory of said workstation asprevious data, irrespective of whether it may or may not be part of atransaction and, said analyser is operable, if the existence of atransaction is identified, to retrieve a pre-determined amount ofprevious data from said outbound data and said inbound data stored insaid memory of said workstation, and to cause said previous data to bestored in said data repository with said transaction data.
 289. Thesystem of claim 288 wherein said rules of said policy data specify theamount of previous data that is to be retrieved independence on theindicator by which the existence of a transaction is identified. 290.The system of claim 288 wherein said network is the Internet and saidapplication is a web browser, said web browser being operable to storeeach web page that is viewed by said web browser in memory as previousdata.
 291. The system of claim 290 wherein said rules of said policydata specify the number of web pages that are to be retrieved from thosepreviously stored in memory in dependence on the indicator by which theexistence of a transaction is identified.
 292. The system of claim 270wherein said application is operable to store all of said outbound dataand said inbound data in memory as previous data, irrespective ofwhether it may or may not be part of a transaction and, said analyser isoperable, if the existence of a transaction is identified, to identify,in said previous data, earlier relevant data that is related to saidtransaction data already identified, and to cause said earlier relevantdata to be stored in said data repository with said transaction data.293. The system of claim 292 wherein said analyser is operable toidentify said earlier relevant data in said previous data, byidentifying common indicators in both said transaction data and saidoutbound data and said inbound data previously stored in said memory ofsaid workstation, said common indicators being one or more of theaddress of the location to which said outbound data is transmitted orfrom which said inbound data is received, part of the data path to thelocation to which said outbound data is transmitted or said inbound datais received, account code or reference number.
 294. The system of claim270 wherein said application is operable to store all of said outbounddata and said inbound data in memory as previous data, irrespective ofwhether it may or may not be part of a transaction, and is furtheroperable such that, if said analyser identifies the existence of atransaction, a user of said application can select earlier relevant datafrom said previous data, said earlier relevant data selected by the userbeing stored in said common data repository together with saidtransaction data.
 295. The system of claim 270 wherein said analyser isoperable, once it has identified the existence of a transaction, todetermine the nature of said transaction by analysing the content ofsaid outbound and inbound data, and said rules of said policy datadefine how said transaction data is to be stored in said data repositoryin dependence on the nature of the transaction determined by saidanalyser, said transaction data being stored in said database accordingto said determination and said rules of said policy data.
 296. Thesystem of claim 295 wherein said analyser is operable to determine thenature of the transaction by identifying in said outbound data and saidinbound data one or more indicators, said indicators being defined insaid rules of said policy data, and being one or more of: the address ofthe network location to which said data that may be part of atransaction is transmitted or from which it is received; part of thedata path to the network location to which said transaction data istransmitted or from which it is received; account codes; referencenumbers; credit card numbers; digital certificates and pre-determinedkeywords.
 297. The system of claim 270 wherein said analyser is operableto identify, once the existence of a transaction has been identified,one or more indicators of the nature of said transaction, saidtransaction data being stored in said data repository such that it isorgaised by said one or more indicators to form a record.
 298. Thesystem of claim 297 wherein said rules of said policy data define saidone or more indicators of the nature of a transaction, said indicatorsbeing one or more of: the address of the location to which saidtransaction data is transmitted or from which it is received; part ofthe data path to the location to which said transaction data istransmitted or from which it is received; account codes, referencenumbers, credit card numbers, digital certificates and pre-determinedkeywords.
 299. The system of claim 270 wherein the analyser is operableto determine the length of time taken to complete a transaction, andcause this to be stored in the data repository with the transactiondata.
 300. The system of claim 270 wherein the analyser is operable todetermine the number of keystrokes or mouse-clicks made in order tocomplete the transaction, and cause this to be stored in the datarepository with the transaction data.
 301. The system of claim 270wherein the analyser is operable to determine the length of time spentwaiting for data to be downloaded to said application during saidtransaction, and cause this to be stored in the data repository with thetransaction data.
 302. The system of claim 270 wherein the analyser isoperable to determine the length of time the web server takes to respondto outbound messages sent from said application, and cause this to bestored in said data repository.
 303. The system of claim 270 wherein theanalyser is operable to determine the length of time a user of saidapplication takes to transmit a response to data downloaded to saidapplication during said transaction, and cause this to be stored in thedata repository with the transaction data.
 304. The system of claim 303,wherein the analyser is operable to determine from the length of time auser of said application takes to transmit a response to data downloadedto said application, the length of time the user spends entering thedata that forms the response, and cause this to be stored in the datarepository with the transaction data.
 305. The system of claim 270wherein said data repository is accessible by one or more of an accountsapplication, an order processing application or other transactionmanagement application.
 306. The system of claim 270 wherein any datatransmitted to said data repository is encrypted before it istransmitted to said data repository.
 307. The system of claim 270wherein any data stored in said data repository is encrypted.
 308. Thesystem of claim 270 wherein said analyser is located on each of said oneor more workstations.
 309. The system of claim 270 wherein saidapplication is a web browser.
 310. The system of claim 309 wherein saidanalyser is a plug-in module of said web browser.
 311. The system ofclaim 310 wherein said web browser is Microsoft's Internet Explorer andsaid analyser is a Browser Helper Object.
 312. The system of claim 270wherein said application is an e-mail client.
 313. The system of claim312 wherein said analyser is a plug-in module of said e-mail client.314. The system of claim 313 wherein said e-mail client is Microsoft'sOutlook e-mail client and said analyser is a Microsoft Exchange clientextension.
 315. The system of claim 270 wherein said application is anInstant messaging application.
 316. The system of claim 315 wherein saidanalyser is a plug-in of said Instant messaging application.
 317. Thesystem of claim 270 wherein said network comprises a server, and saidanalyser is located at a point on said network intermediate said one ormore work stations and said server, or said analyser is located at saidserver.
 318. The system of claim 270 wherein said computer network towhich said one or more workstations are adapted for connection is apublic computer network, and wherein said one or more workstationstogether form a private computer network.
 319. The system of claim 270further comprising a supervisor workstation, said policy data beingaccessible by said supervisor workstation, such that a user of saidsupervisor workstation can edit said policy data.
 320. An informationmanagement system comprising: a plurality of client workstations adaptedfor connection to a computer network, each workstation having a memory;storage means for storing data received from each of said clientworkstations; application means, stored in said memory of eachworkstation, for transmitting outbound data to said network andreceiving inbound data from said network; policy storage means forstoring policy data defining rules for the recording of data that maycomprise part of a transaction conducted between a client workstationand a third party across said computer network; and analysing means,operable in conjunction with said policy data, for analysing at leastone of said outbound data and said inbound data, to identify theexistence of a transaction occurring between a client workstation and athird party, and for causing transaction data that is all or part ofsaid outbound data or said inbound data related to an identifiedtransaction to be stored in said storage means.
 321. The system of claim320 wherein said analysing means is operable to determine whether asecure link has been negotiated between said application means and aremote site on said network, and to identify the existence of atransaction if said outbound data or said inbound data is transmitted ona secure link.
 322. The system of claim 321 wherein said network is theInternet, and said rules of said policy data define the addresses ofnon-eCommerce web sites and/or non-eCommerce e-mail accounts, saidanalysing means being operable to disregard any transactions that areidentified between a client workstation and a non-eCommerce web siteand/or e-mail account such that no transaction data related to atransaction made to a non-eCommerce web sites or a non-eCommerce e-mailaccount is stored in the storage means.
 323. The system of claim 320wherein said analysing means is operable to identify the existence of atransaction by reference to said rules of said policy data, said rulesof said policy data defining the addresses of known eCommerce locations.324. The system of claim 320 wherein said analysing means is operable toidentify credit card numbers, and to identify the existence of atransaction by identifying credit card numbers in said outbound data orinbound data.
 325. The system of claim 320 wherein said analysing meansis operable to identify the existence of a transaction by reference tosaid rules of said policy data, said rules of said policy data definingone or more of pre-determined digital certificates, account codes,pre-determined keywords, pre-determined names and addresses and embeddedcodes.
 326. The system of claim 320 wherein said analysing means isoperable to identify embedded codes in said inbound data, said embeddedcode having been placed in said inbound data to identify it astransaction data.
 327. The system of claim 320 wherein said analysingmeans is operable to identify electronic receipts, and to identify theexistence of a transaction by identifying an electronic receipt in saidoutbound or inbound data.
 328. The system of claim 320 wherein saidanalysing means is operable to record a pre-determined number ofsubsequent transmissions of said outbound data or said inbound datafollowing an identification of the existence of a transaction by saidanalysing means, providing that the address or organisation to which thesubsequent transmissions are sent, or from which they are received, isthe same as the address or organisation to which the outbound data wassent or from which the inbound data was received and in which theexistence of a transaction was identified.
 329. The system of claim 328,wherein said analysing means is operable to detect one or moreindicators of the nature of the transaction, and said rules of saidpolicy data define the number of subsequent transmissions of saidoutbound data and said inbound data that are to be recorded in saidstorage means based on the identified nature of the transaction. 330.The system of claim 328 wherein said rules of said policy data definethe number of subsequent transmissions of said outbound and said inbounddata that are to be stored in said storage means in dependence on theindicator by which the existence of a transaction was identified. 331.The system of claim 320 wherein said analysing means is operable torecord all subsequent transmissions of said outbound data or saidinbound data that occur within a pre-determined amount of time followingan identification of the existence of a transaction by said analysingmeans, providing that the address or organisation to which thesubsequent transmissions are sent, or from which they are received, isthe same as the address or organisation to which the outbound data wassent or from which the inbound data was received and in which theexistence of a transaction was identified.
 332. The system of claim 331,wherein said analysing means is operable to detect one or moreindicators of the nature of the transaction, and said rules of saidpolicy data define the amount of time for which all subsequenttransmissions of said outbound data and said inbound data are to berecorded in said storage means based on the identified nature of thetransaction.
 333. The system of claim 331 wherein said rules of saidpolicy data define the amount of time for which subsequent transmissionsof said outbound and said inbound data are to be stored in said storagemeans in dependence on the indicator by which the existence of atransaction was identified.
 334. The system of claim 320 wherein saidanalysing means is further operable to identify the completion of atransaction by analysing said outbound data or said inbound data, and tocause all or part of said outbound data transmitted by said applicationmeans and all or part of said inbound data received by said applicationmeans after said analysing means has identified the existence of atransaction and before said analysing means has identified thecompletion of a transaction to be stored in said storage means.
 335. Thesystem of claim 334 wherein said analysing means is operable to identifysubsequent related data in said outbound data transmitted by saidapplication means and said inbound data received by said applicationmeans after said analysing means has identified the completion of atransaction, and to cause said subsequent related data to be stored insaid storage means with said transaction data already identified. 336.The system of claim 335 wherein said analysing means is operable toidentify said subsequent related data by identifying common indicatorsin both said transaction data already Identified and said outbound datatransmitted by said application means and said inbound data received bysaid application means after said analysing means has identified thecompletion of a transaction, said common indicators being one or more ofthe address of the location to which said outbound data is transmittedor from which said inbound data is received, part of the data path tothe location to which said outbound data is transmitted or from whichsaid inbound data is received, account code or reference numbers. 337.The system of claim 320 wherein said application means is operable suchthat a user of said application means can indicate said outbound andsaid inbound data that is related to a transaction; said analysing meansbeing operable to identify said outbound and said inbound data soindicated.
 338. The system of claim 320 wherein said application meansis operable to store all of said outbound data and said inbound data insaid memory of said workstation as previous data, irrespective ofwhether it may or may not be part of a transaction and, said analysingmeans is operable, if the existence of a transaction is identified, toretrieve a pre-determined amount of previous data from said outbounddata and said inbound data stored in said memory of said workstation,and to cause said previous data to be stored in said storage means withsaid transaction data.
 339. The system of claim 338 wherein said rulesof said policy data specify the amount of previous data that is to beretrieved in dependence on the indicator by which the existence of atransaction is identified.
 340. The system of claim 338 wherein saidnetwork is the Internet and said application means is a web browser,said web browser being operable to store each web page that is viewed bysaid web browser in memory as previous data.
 341. The system of claim340 wherein said rules of said policy data specify the number of webpages that are to be retrieved from those previously stored in memory independence on the indicator by which the existence of a transaction isidentified.
 342. The system of claim 320 wherein said application meansis operable to store all of said outbound data and said inbound data inmemory as previous data, irrespective of whether it may or may not bepart of a transaction and, said analysing means is operable, if theexistence of a transaction is identified, to identify, in said previousdata, earlier relevant data that is related to said transaction dataalready identified, and to cause said earlier relevant data to be storedin said storage means with said transaction data.
 343. The system ofclaim 342 wherein said analysing means is operable to identify saidearlier relevant data in said previous data, by identifying commonindicators in both said transaction data and said outbound data and saidinbound data previously stored in said memory of said workstation, saidcommon indicators being one or more of the address of the location towhich said outbound data is transmitted or from which said inbound datais received, part of the data path to the location to which saidoutbound data is transmitted or said inbound data is received, accountcode or reference number.
 344. The system of claim 320 wherein saidapplication means is operable to store all of said outbound data andsaid inbound data in memory as previous data, irrespective of whether itmay or may not be part of a transaction, and is further operable suchthat, if said analysing means identifies the existence of a transaction,a user of said application means can select earlier relevant data fromsaid previous data, said earlier relevant data selected by the userbeing stored in said common storage means together with said transactiondata.
 345. The system of claim 320 wherein said analysing means isoperable, once it has identified the existence:of a transaction, todetermine the nature of said transaction by analysing the content ofsaid outbound and inbound data, and said rules of said policy datadefine how said transaction data is to be stored in said storage meansin dependence on the nature of the transaction determined by saidanalysing means, said transaction data being stored in said databaseaccording to said determination and said rules of said policy data. 346.The system of claim 345 wherein said analysing means is operable todetermine the nature of the transaction by identifying in said outbounddata and said inbound data one or more indicators, said indicators beingdefined in said rules of said policy data, and being one or more of: theaddress of the network location to which said data that may be part of atransaction is transmitted or from which it is received; part of thedata path to the network location to which said transaction data istransmitted or from which it is received; account codes; referencenumbers; credit card numbers; digital certificates and pre-determinedkeywords.
 347. The system of claim 320 wherein said analysing means isoperable to identify, once the existence of a transaction has beenidentified, one or more indicators of the nature of said transaction,said transaction data being stored in said storage means such that it isorganised by said one or more indicators to form a record.
 348. Thesystem of claim 347 wherein said rules of said policy data define saidone or more indicators of the nature of a transaction, said indicatorsbeing one or more of: the address of the location to which saidtransaction data is transmitted or from which it is received; part ofthe data path to the location to which said transaction data istransmitted or from which it is received; account codes, referencenumbers, credit card numbers, digital certificates and pre-determinedkeywords.
 349. The system of claim 320 wherein the analysing means isoperable to determine the length of time taken to complete atransaction, and cause this to be stored in the storage means with thetransaction data.
 350. The system of claim 320 wherein the analysingmeans is operable to determine the number of keystrokes or mouse-clicksmade in order to complete the transaction, and cause this to be storedin the storage means with the transaction data.
 351. The system of claim320 wherein the analysing means is operable to determine the length oftime spent waiting for data to be downloaded to said application meansduring said transaction, and cause this to be stored in the storagemeans with the transaction data.
 352. The system of claim 320 whereinthe analysing means is operable to determine the length of time the webserver takes to respond to outbound messages sent from said applicationmeans, and cause this to be stored in said storage means.
 353. Thesystem of claim 320 wherein the analysing means is operable to determinethe length of time a user of said application means takes to transmit aresponse to data downloaded to said application means during saidtransaction, and cause this to be stored in the storage means with thetransaction data.
 354. The system of claim 353, wherein the analysingmeans is operable to determine from the length of time a user of saidapplication means takes to transmit a response to data downloaded tosaid application means, the length of time the user spends entering thedata that forms the response, and cause this to be stored in the storagemeans with the transaction data.
 355. The system of claim 320 whereinsaid storage means is accessible by one or more of an accountsapplication, an order processing application or other transactionmanagement application.
 356. The system of claim 320 wherein any datatransmitted to said storage means is encrypted before it is transmittedto said storage means.
 357. The system of claim 320 wherein any datastored in said storage means is encrypted.
 358. The system of claim 320wherein said analysing means is located on on each of said one or moreworkstations.
 359. The system of claim 320 wherein said application is aweb browser.
 360. The system of claim 359 wherein said analysing meansis a plug-in module of said web browser.
 361. The system of claim 360wherein said web browser is Microsoft's Internet Explorer and saidanalysing means is a Browser Helper Object.
 362. The system of claim 320wherein said application means is an e-mail client.
 363. The system ofclaim 362 wherein said analysing means is a plug-in module of saide-mail client.
 364. The system of claim 363 wherein said e-mail clientis Microsoft's Outlook e-mail client and said analysing means is aMicrosoft Exchange client extension.
 365. The system of claim 320wherein said application is an Instant messaging application.
 366. Thesystem of claim 365 wherein said analyser is a plug-in of said Instantmessaging application.
 367. The system of claim 320 wherein said networkcomprises a server, and said analysing means is located at a point onsaid network intermediate said one or more work stations and saidserver, or said analysing means is located at said server.
 368. Thesystem of claim 320 wherein said computer network to which said one ormore workstations are adapted for connection is a public computernetwork, and wherein said one or more workstations together form aprivate computer network.
 369. The system of claim 320 furthercomprising a supervisor workstation, said policy data being accessibleby said supervisor workstation, such that a user of said supervisorworkstation can edit said policy data.
 370. A method of managinginformation comprising the steps of: providing a plurality of clientworkstations adapted for connection to a computer network, eachworkstation having a memory; providing a data repository arranged toreceive data from each of said client workstations; providing anapplication stored in said memory of each workstation for transmittingoutbound data to said network and receiving inbound data from saidnetwork; providing policy data defining rules for the recording of datathat may comprise part of a transaction conducted between a clientworkstation and a third party across said computer network; andanalysing, at least one of said outbound data and said inbound data toidentify, with reference to said rules of said policy data, theexistence of a transaction occurring between a client workstation and athird party; and storing transaction data that is all or part of saidoutbound data or said inbound data related to an identified transactionin said data repository.
 371. The method of claim 370 wherein in saidanalysing step the existence of a transaction is identified bydetermining whether a secure link has been negotiated between saidapplication and a remote site on said network, and by determiningwhether said outbound data or said inbound data is transmitted on thatlink.
 372. The method of claim 371 wherein said network is the Internet,and said rules of said policy data define the addresses of non-eCommerceweb sites and/or non-eCommerce e-mail accounts, wherein said analysingstep includes disregarding any transactions that are identified betweena client workstation and a non-eCommerce web site and/or e-mail accountsuch that no transaction data related to a transaction made to anon-eCommerce web site or a non-eCommerce e-mail account is stored inthe data repository.
 373. The method of claim 370 wherein said analysingstep includes identifying the existence of a transaction by reference tosaid rules of said policy data, said rules of said policy data definingthe addresses of known eCommerce locations.
 374. The method of claim 370wherein said analysing step includes identifying credit card numbers,and the existence of a transaction is identified by identifying creditcard numbers in said outbound data or inbound data.
 375. The method ofclaim 370 wherein in said analysing step the existence of a transactionis identified by reference to said rules of said policy data, said rulesof said policy data defining one or more of pre-determined digitalcertificates, account codes, pre-determined keywords, pre-determinednames and addresses and embedded codes.
 376. The method of claim 370wherein said analysing step includes detecting an embedded code in saidinbound data, said embedded code having been placed in said inbound datato identify it as transaction data.
 377. The method of claim 370 whereinin said analysing step, the existence of a transaction is identified byidentifying an electronic receipt in said outbound or inbound data. 378.The method of claim 370 further comprising the step of recording apre-determined number of subsequent transmissions of said outbound dataor said inbound data following an identification of the existence of atransaction in said analysing step, providing that the address ororganisation to which the subsequent transmissions are sent, or fromwhich they are received, is the same as the address or organisation towhich the outbound data was sent or from which the inbound data wasreceived and in which the existence of a transaction was identified.379. The method of claim 378, wherein said analysing step includesdetecting one or more indicators of the nature of the transaction, andsaid rules of said policy data define the number of subsequenttransmissions of said outbound data and said inbound data that are to berecorded in said data repository based on the identified nature of thetransaction.
 380. The method of claim, 378 wherein said rules of saidpolicy data define the number of subsequent transmissions of saidoutbound and said inbound data that are to be stored in said datarepository in dependence on the indicator by which the existence of atransaction was identified.
 381. The method of claim 370 furthercomprising the step of recording all subsequent transmissions of saidoutbound data or said inbound data that occur within a pre-determinedamount of time following an identification of the existence of atransaction in said analysing step; providing that the address ororganisation to which the subsequent transmissions are sent, or fromwhich they are received, is the same as the address or organisation towhich the outbound data was sent or from which the inbound data wasreceived and in which the existence of a transaction was identified.382. The method of claim 381, wherein said analysing step includesdetecting one or more indicators of the nature of the transaction, andsaid rules of said policy data define the amount of time for which allsubsequent transmissions of said outbound data and said inbound data areto be recorded in said data repository based on the identified nature ofthe transaction.
 383. The method of claim 381 wherein said rules of saidpolicy data define the amount of time for which subsequent transmissionsof said outbound and said inbound data are to be stored in said datarepository in dependence on the indicator by which the existence of atransaction was identified.
 384. The method of claim 370 wherein saidanalysing step includes identifying, the completion of a transaction byanalysing said outbound data or said inbound data, and said storing stepincludes storing all or part of said outbound data transmitted by saidapplication and all or part of said inbound data received by saidapplication, after the existence of a transaction has been identifiedand before the completion of a transaction has been identified, in saiddata repository.
 385. The method of claim 384 wherein said analysingstep includes identifying subsequent related data contained in saidoutbound data transmitted by said application and said inbound datareceived by said application after the completion of a transaction, andsaid storing step includes storing said subsequent related data in saiddata repository with said transaction data already identified.
 386. Themethod of claim 385 wherein said analysing step includes identifyingsaid subsequent related data by identifying common indicators in bothsaid transaction data already identified and said outbound datatransmitted by said application and said inbound data received by saidapplication after the completion of a transaction has been identified,said common indicators being one or more of the address of the locationto which said outbound data is transmitted or from which said inbounddata is received, part of the data path to the location to which saidoutbound data is transmitted or from which said inbound data isreceived, account code or reference numbers.
 387. The method of claim370 wherein said application is operable such that a user of saidapplication can indicate said outbound and said inbound data that isrelated to a transaction, said analysing step including identifyingindicated outbound and inbound data.
 388. The method of claim 370further comprising the step of storing all of said outbound data andsaid inbound data in said memory of said workstation as previous data,irrespective of whether it mayor may not be part of a transaction and,said analysing step includes retrieving a pre-determined amount ofprevious data from said outbound data and said inbound data stored insaid memory of said workstation if the existence of a transaction isidentified, and said storing step includes storing said previous data insaid data repository with said transaction data.
 389. The method ofclaim 378 wherein said rules of said policy data specify the amount ofprevious data that is to be retrieved in dependence an the indicator bywhich the existence of a transaction is identified.
 390. The method ofclaim 388 wherein said network is the Internet and said application is aweb browser, said web browser being operable to store each web page thatis viewed by said web browser in memory as previous data.
 391. Themethod of claim 390 wherein said rules of said policy data specify thenumber of web pages that are to be retrieved from those previouslystored in memory independence on the indicator by which the existence ofa transaction is identified.
 392. The method of claim 370 furthercomprising the step of storing all of said outbound data and said 202inbound data in memory as previous data, irrespective of whether it mayor may not be part of a transaction and, said analysing step includesidentifying, in said previous data, earlier relevant data that isrelated to said transaction data already identified, and said storingstep includes storing said earlier relevant data in said data repositorywith said transaction data.
 393. The method of claim 392 wherein saidanalysing step includes identifying said earlier relevant data in saidprevious data, by identifying common indicators in both said transactiondata and said previous data, said common indicators being one or more ofthe address of the location to which said outbound data is transmittedor from which said inbound data is received, part of the data path tothe location to which said outbound data is transmitted or said inbounddata is received, account code or reference number.
 394. The method ofclaim 370 further comprising the steps of storing all of said outbounddata and said inbound data in memory as previous data, irrespective ofwhether it may or may not be part of a transaction; and if the existenceof a transaction is identified, providing a user of said applicationwith a selector for selecting earlier relevant data from said previousdata, and wherein said storing step includes storing said earlierrelevant data selected by the user in said data repository together withsaid transaction data.
 395. The method of claim 370 wherein saidanalysing step includes, once the existence of a transaction has beenidentified, determining the nature of said transaction by analysing thecontent of said outbound and inbound data, said rules of said policydata defining how said transaction data is to be stored in said datarepository in dependence on the nature of the transaction determined insaid analysing step, said transaction data being stored in said databaseaccording to said determination and said rules of said policy data. 396.The method of 395 wherein said analysing step includes determining thenature of the transaction by identifying in said outbound data and saidinbound data one or more indicators, said indicators being defined insaid rules of said policy data, and being one or more of: the address ofthe network location to which said data that may be part of atransaction is transmitted or from which it is received; part of thedata path to the network location to which said transaction data istransmitted or from which it is received; account codes; referencenumbers; credit card numbers; digital certificates and pre-determinedkeywords.
 397. The method of claim 370 wherein said analysing stepincludes identifying, once the existence of a transaction has beenidentified, one or more indicators of the nature of said transaction,and said storing step includes organising transaction data stored insaid data repository by said one or more indicators such that it forms arecord.
 398. The method of claim 397 wherein said rules of said policydata define said one or more indicators of the nature of a transaction,said indicators being one or more of: the address of the location towhich said transaction data is transmitted or from which it is received;part of the data path to the location to which said transaction data istransmitted or from which it is received; account codes, referencenumbers, credit card numbers, digital certificates and pre-determinedkeywords.
 399. The method of claim 37b wherein said analysing stepincludes determining the length of time taken to complete a transaction,and causing this to be data.
 400. The method of claim 370 wherein saidanalysing step includes determining the number of keystrokes ormouse-clicks made in order to complete the transaction, and causing thisto be stored in the data repository with the transaction data.
 401. Themethod of claim 370 wherein said analysing step includes determining thelength of time spent waiting for data to be downloaded to saidapplication during said transaction, and causing this to be stored inthe data repository with the transaction data.
 402. The method of claim370 wherein said analysing step includes determining the length of timethe web server takes to respond to outbound messages sent from saidapplication, and causing this to be stored in said data repository. 403.The method of claim 370 wherein said analysing step includes determiningthe length of time a user of said application takes to transmit aresponse to data downloaded to said application during said transaction,and causing this to be stored in the data repository with thetransaction data.
 404. The method of claim 370, wherein said analysingstep includes determining from the length of time a user of saidapplication takes to transmit a response to data downloaded to saidapplication, the length of time the user spends entering the data thatforms the response, and causing this to be stored in the data repositorywith the transaction data.
 405. The method of claim 370 wherein saiddata repository is accessible by one or more of an accounts application,an order processing application or other transaction managementapplication.
 406. The method of claim 370 further comprising the step ofencrypting any relevant data identified in said analysing step before itis stored in said data repository.
 407. The method of claim 370 furthercomprising the step of encrypting the data stored in said datarepository.
 408. The method of claim 370 wherein said analysing step isperformed at said one or more workstations.
 409. The method of claim 370wherein said application is a web browser.
 410. The method of claim 409wherein said analysing step is performed by a plug-in module of said webbrowser.
 411. The method of claim 410 wherein said web browser isMicrosoft's Internet Explorer and said plug-in module is a BrowserHelper Object.
 412. The method of claim 370 wherein said application isan e-mail client.
 413. The method of claim 412 wherein said analysingstep is performed by a plug-in module of said e-mail client.
 414. Themethod of claim 413 wherein said e-mail client is Microsoft's, Outlooke-mail client and said plug-in module is a Microsoft Exchange clientextension.
 415. The method of claim 370 wherein said application is anInstant messaging application.
 416. The method of claim 415 wherein saidanalyses is a plug-in of said Instant messaging application.
 417. Themethod of claim 370 wherein said network comprises a server, and saidanalysing step is performed at a point on said network intermediate saidone or more work stations and said server, or said analysing step isperformed at said server.
 418. The method of claim 370 wherein saidcomputer network to which said one or more workstations are adapted forconnection is a public computer network, and wherein said one or moreworkstations together form a private computer network.
 419. The methodof claim 370 further comprising the step of providing a supervisorworkstation, said policy data being accessible by said supervisorworkstation, such that a user of said supervisor workstation can editsaid policy data.
 420. A computer program product for controlling aplurality of computers in a private network to manage information, thenetwork having a data repository arranged to receive data from theplurality of computers, and policy data defining rules for the recordingof data that may comprise part of a transaction conducted between acomputer in the private network and a third party across a publicnetwork, comprising: a recording medium readable by a computer, havingprogram code-recorded thereon which when executed on each of saidplurality of computers configures said computers to: analyse, inconjunction with an application running on the computer that is operableto transmit outbound data to said public network and receive inbounddata from said public network, at least one of said outbound data andsaid inbound data to identify, with reference to said rules of saidpolicy data, the existence of a transaction occurring between thecomputer and a third party; and to control said computer to storetransaction data that is all or part of said outbound data or saidinbound data related to an identified transaction in said datarepository.
 421. The computer program product of claim 420 wherein saidprogram code when executed on said computer is operable to identify theexistence of a transaction by determining whether a secure link has beennegotiated between said application and a remote site on said publicnetwork, and whether the outbound data or said inbound data istransmitted on that link.
 422. The computer program product of claim 421wherein said public-network is the Internet, and said rules of saidpolicy data define the addresses of non-eCommerce web sites and/ornon-eCommerce e-mail accounts, wherein said program code when executedon said computer is operable to disregard any transactions that areidentified between the computer and a non-eCommerce web site and/ore-mail account such that no transaction data related to a transactionmade to a non-eCommerce web sites or a non-eCommerce e-mail account isstored in the data repository.
 423. The computer program product ofclaim 420 wherein said program code when executed on said computer isoperable to identify the existence of a transaction by reference to saidrules of said policy data, said rules of said policy data defining theaddresses of known eCommerce locations.
 424. The computer program;product of claim 420 wherein said program code when executed on saidcomputer is operable to identify credit card numbers, and the existenceof a transaction is identified by identifying credit card numbers insaid outbound data or inbound data.
 425. The computer program product ofclaim 420 wherein said program code when executed on said computer isoperable to identify the existence of a transaction by reference to saidrules of said policy data, said rules of said policy data defining oneor more of pre-determined digital certificates, account codes,pre-determined keywords, pre-determined names and addresses and embeddedcodes.
 426. The computer program product of claim 420 wherein saidprogram code when executed on said computer is operable to identify insaid inbound data an embedded code, said embedded code having beenplaced in said inbound data to identify it as transaction data.
 427. Thecomputer program product of claim 420 wherein said program code whenexecuted on said computer is operable to identify the existence of atransaction by identifying an electronic receipt in said outbound orinbound data.
 428. The computer program product of claim 420 whereinsaid program code when executed on said computer is further operable tocontrol the computer to record a pre-determined number of subsequenttransmissions of said outbound data or said inbound data following anidentification of the existence of a transaction, providing that theaddress or organisation to which the subsequent transmissions aretransmitted, or from which they are received, is the same as the addressor organisation to which the outbound data was sent or from which theinbound data was received and in which the existence of a transactionwas identified.
 429. The computer program product of claim 428, whereinsaid program code when executed on said computer is operable to detectone or more indicators of the nature of the transaction, and said rulesof said policy data define the number of subsequent transmissions ofsaid outbound data and said inbound data that are to be recorded in thedata repository based on the identified nature of the transaction. 430.The computer program product of claim 428 wherein said rules of saidpolicy data define the number of subsequent transmissions of saidoutbound and said inbound data that are to be stored in said datarepository in dependence on the indicator by which the. existence of atransaction was identified.
 431. The computer program product of claim420 wherein said program code when executed on said computer is operableto control the computer to record all subsequent transmissions of saidoutbound data or said inbound data that occur within a pre-determinedamount of time following an identification of the existence of atransaction, providing that the address or organisation to which thesubsequent transmissions are transmitted, or from which they arereceived, is the same as the address or organisation to which theoutbound data was transmitted or from which the inbound data wasreceived and in which the existence of a transaction was identified.432. The computer program product of claim 431 wherein said program codewhen executed on said computer is operable to detect one or moreindicators of the nature of the transaction, and said rules of saidpolicy data define the amount of time for which all subsequenttransmissions of said outbound data and said inbound data are to berecorded in said data repository based on the identified nature of thetransaction.
 433. The computer program product of claim 431 wherein saidrules of said policy data define the amount of time for which subsequenttransmissions of said outbound and said inbound data are to be stored insaid data repository in dependence on the indicator by which theexistence of a transaction was identified.
 434. The computer programproduct of claim 420 wherein said program code when executed on saidcomputer is operable to identify the completion of a transaction, ancontrol the computer to store all or part of said outbound datatransmitted by said application and all or part of said inbound datareceived by said application after the existence of a transaction hasbeen identified and before the completion of a transaction has been inidentified in said data repository.
 435. The computer program product ofclaim 434 wherein said program code when executed on said computer isoperable to identify subsequent related data contained in said outbounddata transmitted by said application and said inbound data received bysaid application after the completion of a transaction, and control thecomputer to store said subsequent related data in the data repositorywith said transaction data already identified.
 436. The computer programproduct of claim 435 wherein said program code when executed on saidcomputer is operable to identify said subsequent related data byidentifying common indicators in both said transaction data alreadyidentified and said outbound data transmitted by said application andsaid inbound data received by said application after the completion of atransaction has been identified, said common indicators being one ormore of the address of the location to which said outbound data istransmitted or from which said inbound data is received, part of thedata path to the location to which said outbound data is transmitted orfrom which said inbound data is received, account code or referencenumbers.
 437. The computer program product of claim 420 wherein saidapplication is operable such that a user of said application canindicate said outbound and said inbound data that is related to atransaction, said program code when executed on said computer beingoperable to identify said outbound and said inbound data so indicated.438. The computer program product of claim 420 wherein said program codewhen executed on said computer is operable to control the computer tostore all of said outbound data and said inbound data in memory asprevious data, irrespective of whether it may or may not be part of atransaction and, to retrieve a pre-determined amount of previous datafrom said outbound data: and said inbound data stored in memory if theexistence of a transaction is identified and to control the computer tostore said previous data in the data repository with said transactiondata.
 439. The computer program product of claim 438 wherein said rulesof said policy data specify the amount of previous data that is to beretrieved in dependence on the indicator by which the existence of atransaction is identified.
 440. The computer program product of claim438 wherein said public network is the Internet and said application isa web browser, said web browser being operable to store each web pagethat is viewed by said web browser in memory as previous data.
 441. Thecomputer program product of claim 440 wherein said rules of said policydata specify the number of web pages that are to be retrieved from thosepreviously stored in memory in dependence on the indicator by which theexistence of a transaction is identified.
 442. The computer programproduct of claim 420 wherein said program code when executed on saidcomputer is further operable to control the computer to store all ofsaid outbound data and said inbound data in memory as previous data,irrespective of whether it may or may not be part of a transaction and,to identify, in said previous data, earlier relevant data that isrelated to said transaction data already identified, and control thecomputer to store the earlier relevant data in the data repository withsaid transaction data.
 443. The computer program product of claim 442wherein said program code when executed on said computer is furtheroperable to identify said earlier relevant data in said previous data,by identifying common indicators in both said transaction data and saidprevious data, said common indicators being one or more of the addressof the location to which said outbound data is transmitted or from whichsaid inbound data is received, part of said path to the location towhich said outbound data is transmitted or said inbound data isreceived, account codes or reference numbers.
 444. The computer programproduct of claim 420 wherein said program code when executed on saidcomputer is further operable to control the computer to store all ofsaid outbound data and said inbound data in memory as previous data,irrespective of whether it may or may not be part of a transaction; andwherein said computer program product further comprises a selector,recorded on said recording medium, said selector being operable toselect earlier relevant data from said previous data in response toinput from a user, and wherein said program code when executed on saidcomputer is further operable to control the computer to store saidearlier relevant data selected by the user in said data repositorytogether with said transaction data.
 445. The computer program productof claim 420 wherein said program code when executed on said computer isoperable, once the existence of a transaction has been identified, todetermine the nature of said transaction by analysing the content ofsaid outbound and inbound data, said rules of said policy data defininghow said transaction data is to be stored in said data repository independence on the nature of the transaction that has been determined,said transaction data being stored in said database according to saiddetermination and said rules of said policy data.
 446. The computerprogram-product of claim 445 wherein said program code when executed onsaid computer is further operable to determine the nature of thetransaction by identifying in said outbound data and said inbound dataone or more indicators, said indicators being defined in said rules ofsaid policy data, and being one or more of the address of the publicnetwork location to which said data that may be part of a transaction istransmitted or from which it is received; part of the data path to thepublic network location to which said transaction data is transmitted orfrom which it is received; account codes; reference numbers; credit cardnumbers; digital certificates and pre-determined keywords.
 447. Thecomputer program product of claim 420 wherein said program code whenexecuted on said computer is further operable, once the existence of atransaction has been identified, to identify one or more indicators ofthe nature of said transaction, and to control the computer to organisethe storage of said transaction data by said one or more indicators suchthat it forms a record.
 448. The computer program product of claim 447wherein said rules of said policy data define said one or moreindicators of the nature of a transaction, said indicators being one ormore of: the address of the public location to which said transactiondata is transmitted or from which it is received; part of the data pathto the public location to which said transaction data is transmitted orfrom which it is received; account codes, reference numbers, credit cardnumbers, digital certificates and pre-determined keywords.
 449. Thecomputer program product of claim 420 wherein said program code whenexecuted on said computer is further operable to determine the length oftime taken to complete a transaction, and cause this to be stored in thedata repository with the transaction data.
 450. The computer programproduct of claim 420 wherein said program code when executed on saidcomputer is further operable to determine the number of keystrokes ormouse-clicks made in order to complete the transaction, and cause thisto be stored in the data repository with the transaction data.
 451. Thecomputer program product of claim 420 wherein said program code whenexecuted on said computer is further operable to determine the length oftime spent waiting for data to be downloaded to said application duringsaid transaction, and cause this to be stored in the data repositorywith the transaction data.
 452. The computer program product of claim420 wherein said program code when executed on said computer is furtheroperable to determine the length of time the web server takes to respondto outbound messages sent from said application, and cause this to bestored in said data repository.
 453. The computer program product ofclaim 420 wherein said program code when executed on said computer isfurther operable to determine the length of time a user of saidapplication takes to transmit a response to data downloaded to saidapplication during said transaction, and cause this to be stored in thedata repository with the transaction data.
 454. The computer programproduct of claim 420, wherein said program code when executed on saidcomputer is further operable to determine from the length of time a userof said application takes to transmit a response to data downloaded tosaid application, the length of time the user spends entering the datathat forms the response, and cause this to be stored in the datarepository with the transaction data.
 455. The computer program productof claim 420 wherein the data repository is accessible by one or more ofan accounts application, an order processing application or othertransaction management application.
 456. The computer program product ofclaim 420 wherein said program code when executed on said computer isfurther operable to cause any identified relevant data to be encryptedbefore it is stored in said data repository.
 457. The computer programproduct of claim 420 wherein said program code when executed on saidcomputer is further operable to cause any relevant data stored in thedata repository to be encrypted.
 458. The computer program product ofclaim 420 wherein said program code is executable at each of saidcomputers.
 459. The computer program product of claim 420 wherein saidapplication is a web browser.
 460. The computer program product of claim459 wherein said program code when executed on said computer is aplug-in module of said web browser.
 461. The computer program product ofclaim 460 wherein said web browser is Microsoft's Internet Explorer andsaid plug-in module is a Browser Helper Object.
 462. The computerprogram product of claim 420 wherein said application is an e-mailclient.
 463. The computer program product of claim 462 wherein saidprogram code when executed on said computer is a plug-in module of saide-mail client.
 464. The computer program product of claim 463 whereinsaid e-mail client is Microsoft's Outlook e-mail client and said plug-inmodule is a Microsoft Exchange client extension.
 465. The computersoftware product of claim 420 wherein said application is an Instantmessaging application.
 466. The computer software product of claim 465wherein said program code when executed on said computer is a plug-in ofsaid Instant messaging application.
 467. Computer program product ofclaim 420 wherein said network includes a server and said program codeis executable at a point on said network intermediate said one or moreworkstations and said server, or said program code is executable at saidserver.
 468. The computer program product of claim 420 furthercomprising program code recorded on the recording medium which whenexecuted on a computer in the plurality of computers enable thatcomputer as a supervisor workstation, said supervisor workstation havingaccess to said data repository and being operable to view said relevantdata stored in said data repository.
 469. The computer program productof claim 468 wherein said policy data is accessible by said supervisorworkstation, such that a user of said supervisor workstation can editsaid policy data.
 470. An information management system comprising: oneor more workstations adapted for connection to a computer network, eachworkstation having a memory; an application stored in said memory ofeach workstation for transmitting outbound data to said network andreceiving inbound data from said network; policy data, containing rulesfor the transmission of outbound data that may be part of a transaction;and an analyser, said analyser being operable in conjunction with saidpolicy data to identify in at least said outbound data, transaction datathat may be part of a transaction, and to make a determination inaccordance with said rules of said policy data as to whether thetransmission of said transaction data would satisfy said rules; andwherein the transmission of said transaction data by said application isdependent on said determination made by said analyser.
 471. The systemof claim 470, wherein according to said determination made by saidanalyser, said transaction data is either, transmitted, not transmitted,or sent to an approver who determines whether or not to transmit thetransaction data.
 472. The system of claim 471 further comprising: oneor more approvers, for deciding whether the transmission of said datathat may be part of a transaction may be made; wherein said analyser isoperable to identify in said data that may be part of a transaction,data that needs approval and to refer said data that needs approval toone of said one or more approvers; and the transmission of said datathat needs approval being dependent on the decision of said one or moreapprover.
 473. The system of claim 472 wherein said analyser is operableto identify said transaction data that needs approval by determining thenature of said transaction data and by checking said rules of saidpolicy data, said-rules of said policy data defining whether or notapproval is needed in dependence on the determined nature of saidtransaction data.
 474. The system of claim 472 wherein said analyser isoperable to determine the nature of said transaction data by identifyingat least one of the identity of the transmitter of said data, theidentity of the intended recipient of said data, the workstation fromwhich said data is to be transmitted, the sum for which a transaction isto be made, and the account against which a transaction is to be made.475. The system of claim 472 comprising a recorder, operable inconjunction with said analyser, for recording transaction data, whereinsaid one or more approvers have access to the transaction data stored bythe recorder such that when deciding whether to give approval or not,the one or more approvers can view all of the transaction data,including the data that needs approval.
 476. The system of claim 472wherein said analyser is operable to determine the nature of saidtransaction data that needs approval and to select said one of said oneor more approvers in dependence on that determination.
 477. The systemof claim 476 wherein said analyser is operable to determine the natureof said transaction data that needs approval by identifying at least oneof the identity of the transmitter of said data, the identity of theintended recipient of said data the work station from which said data isto be transmitted, the sum for which a transaction is to be made, andthe account against which the transaction is to be made.
 478. The systemof claim 470 wherein said analyser is operable to determine whether asecure link has been negotiated between said application and a remotesite on said network, and to identity said outbound data or said inbounddata as transaction data, if it is transmitted on a secure link. 479.The system of claim 478 wherein said network is the Internet, and saidrules of said policy data define the addresses of web sites or e-mailaccounts that negotiate secure links for the transmission of data butwhich are known not to be eCommerce sites or accounts, said analyserbeing operable to disregard said outbound data transmitted to those websites or accounts or said inbound data received from those web sites oraccounts, such that no approval is required.
 480. The system of claim470 wherein said analyser is operable to identify transaction data byreference to said rules of said policy data, said rules of said policydata defining the addresses of known eCommerce web sites and e-mailaccounts.
 481. The system of claim 470 wherein said analyser is operableto identify credit card numbers in said outbound data or said inbounddata, and to identify outbound data or inbound data that contains acredit card number as transaction data.
 482. The system of claim 481wherein said policy data specifies pre-determined credit card numbersthat can never be transmitted.
 483. The system of claim 470 wherein saidanalyser is operable to identify transaction data by reference to saidrules of said policy data, said rules of said policy data defining oneor more of pre-determined digital certificates, account codes,pre-determined keywords, pre-determined names and addresses and embeddedcodes.
 484. The system of claim 470 wherein said analyser is operable toidentify embedded codes in said inbound data, said embedded codes havingbeen placed in said inbound data to mark said inbound data astransaction data.
 485. The system of claim 470 wherein said applicationis operable such that a user of said application can indicate saidoutbound and said inbound data that is part of a transaction, saidanalyser being operable to identify said outbound and said inbound dataso indicated.
 486. The system of claim 470 wherein said analyser islocated on each of said one or more workstations.
 487. The system ofclaim 470 wherein said application is a web browser.
 488. The system ofclaim 487 wherein said analyser is a plug-in module of said web browser.489. The system of claim 488 wherein said web browser is Microsoft'sInternet Explorer and said analyser is a Browser Helper Object.
 490. Thesystem of claim 470 wherein said application is an e-mail client. 491.The system of claim 490 wherein said analyser is a plug-in module ofsaid e-mail client.
 492. The system of claim 491 wherein said e-mailclient is Microsoft's Outlook e-mail client and said analyser is aMicrosoft Exchange client extension.
 493. The system of claim 470wherein said application is an Instant messaging application.
 494. Thesystem of claim 493 wherein said analyser is a plug-in of said Instantmessaging application.
 495. The system of claim 470 wherein said networkcomprises a server and said analyser is located at a point on saidnetwork intermediate said one or more workstations and said server, orsaid analyser is located at said server.
 496. The system of claim 470wherein said computer network to which said one or more workstations areadapted for connection is a public computer network, and wherein saidone or more workstations together form a private computer network. 497.The system of claim 470 further comprising a supervisor workstation,said policy data being accessible by said supervisor workstation, suchthat a user of said supervisor workstation can edit said policy data.498. An information management system comprising: one or moreworkstations adapted for connection to a computer network, eachworkstation having a memory; application means, stored in said memory ofeach workstation, for transmitting outbound data to said network andreceiving inbound data from said network; policy storage means forstoring policy data, containing rules for the transmission of outbounddata that may be part of a transaction; and analyser means, operable inconjunction with said policy data, for identifying in at least saidoutbound data, transaction data that may be part of a transaction, andfor determining, in accordance with said rules of said policy data,whether the transmission of said transaction data would satisfy saidrules; and wherein the transmission of said transaction data by saidapplication means is dependent on said determination made by saidanalysing means.
 499. The system of claim 498, wherein according to saiddetermination made by said analysing means, said transaction data iseither, transmitted, not transmitted, or sent to an approver whodetermines whether or not to transmit the transaction data.
 500. Thesystem of claim 499 further comprising: one or more approvers, fordeciding whether the transmission of said data that may be part of atransaction may be made; wherein said analysing means is operable toidentify in said data that may be part of a transaction, data that needsapproval and to refer said data that needs approval to one of said oneor more approvers; and the transmission of said data that needs approvalbeing dependent on the decision of said one or more approver.
 501. Thesystem of claim 500 wherein said analysing means is operable to identifysaid transaction data that needs approval by determining the nature ofsaid transaction data and by checking said rules of said policy data,said rules of said policy data defining whether or not approval isneeded in dependence on the determined nature of said transaction data.502. The system of claim 500 wherein said analysing means is operable todetermine the nature of said transaction data by identifying at leastone of the identity of the transmitter of said data, the identity of theintended recipient of said data, the workstation from which said data isto be transmitted, the sum for which a transaction is to be made, andthe account against which a transaction is to be made.
 503. The systemof claim 500 comprising a recorder, operable in conjunction with saidanalysing means, for recording transaction data, wherein said one ormore approvers have access to the transaction data stored by therecorder such that when deciding whether to give approval or not, theone or more approvers can view all of the transaction data, includingthe data that needs approval.
 504. The system of claim 500 wherein saidanalysing means is operable to determine the nature of said transactiondata that needs approval and to select said one of said one or moreapprovers in dependence on that determination.
 505. The system of claim504 wherein said analysing means is operable to determine the nature ofsaid transaction data that needs approval by identifying at least one ofthe identity of the transmitter of said data, the identity of theintended recipient of said data, the work station from which said datais to be transmitted, the sum for which a transaction is to be made, andthe account against which the transaction is to be made.
 506. The systemof claim 498 wherein said analysing means is operable to determinewhether a secure link has been negotiated between said application and aremote site on said network, and to identify said outbound data or saidinbound data as transaction data, if it is transmitted on a secure link.507. The system of claim 506 wherein said network is the Internet, andsaid rules of said policy data define the addresses of web sites ore-mail accounts that negotiate secure links for the transmission of databut which are known not to be eCommerce sites or accounts, saidanalysing means being operable to disregard said outbound datatransmitted to those web sites or accounts or said inbound data receivedfrom those web sites or accounts, such that no approval is required.508. The system of claim 498 wherein said analysing means is operable toidentify transaction data by reference to said rules of said policydata, said rules of said policy data defining the addresses of knowneCommerce web sites and e-mail accounts.
 509. The system of claim 498wherein said analysing means is operable to identify credit card numbersin said outbound data or said inbound data, and to identify outbounddata or inbound data that contains a credit card number as transactiondata.
 510. The system of claim 509 wherein said policy data specifiespre-determined credit card numbers that can never be transmitted. 511.The system of claim 498 wherein said analysing means is operable toidentify transaction data by reference to said rules of said policydata, said rules of said policy data defining one or more ofpre-determined digital certificates, account codes, pre-determinedkeywords, pre-determined names and addresses and embedded codes. 512.The system of claim 498 wherein said analysing means is operable toidentify embedded codes in said inbound data, said embedded codes havingbeen placed in said inbound data to mark said inbound data astransaction data.
 513. The system of claim 498 wherein said applicationis operable such that a user of said application can indicate saidoutbound and said inbound data that is part of a transaction, saidanalysing means being operable to identify said outbound and saidinbound data so indicated.
 514. The system of claim 498 wherein saidanalysing means is located on each of said one or more workstations.515. The system of claim 498 wherein said application is a web browser.516. The system of claim 515 wherein said analysing means is a plug-inmodule of said web browser.
 517. The system of claim 516 wherein saidweb browser is Microsoft's Internet Explorer and said analysing means isa Browser Helper Object.
 518. The system of claim 498 wherein saidapplication is an e-mail client.
 519. The system of claim 518 whereinsaid analysing means is a plug-in module of said e-mail client.
 520. Thesystem of claim 519 wherein said e-mail client is Microsoft's Outlooke-mail client and said analysing means is a Microsoft Exchange clientextension.
 521. The system of claim 498 wherein said application is anInstant messaging application.
 522. The system of claim 521 wherein saidanalyser is a plug-in of said Instant messaging application.
 523. Thesystem of claim 498 wherein said network comprises a server and saidanalysing means is located at a point on said network intermediate saidone or more workstations and said server, or said analysing means islocated at said server.
 524. The system of claim 498 wherein saidcomputer network to which said one or more workstations are adapted forconnection is a public computer network, and wherein said one or moreworkstations together form a private computer network.
 525. The systemof claim 498 further comprising a supervisor workstation, said policydata being accessible by said supervisor workstation, such that a userof said supervisor workstation can edit said policy data.
 526. A methodfor managing information comprising the steps of: providing one or moreworkstations adapted for connection to a computer network, eachworkstation having a memory; providing an application stored in saidmemory of each workstation for transmitting outbound data to saidnetwork and receiving inbound data from said network; providing policydata, containing rules for the transmission of outbound data that may bepart of a transaction; and analysing at least said outbound data toidentify, with reference to said rule of said policy data, transactiondata that may be part of a transaction; determining, in accordance withsaid rules of said policy data, whether the transmission of saidtransaction data would satisfy said rules; controlling transmission ofsaid transaction data by said application in dependence on thedetermination made in said determining step.
 527. The method of claim526, wherein said controlling step includes said transaction data beingeither, transmitted, not transmitted, or sent to an approver whodetermines whether or not to transmit the transaction data.
 528. Themethod of claim 527 further comprising the steps of: identifying in saiddata that may be part of a transaction, data that needs approval;referring said data that need approval to one or more approvers forapproval; and monitoring whether or nor approval is received from saidone or more approvers; and wherein in said controlling step, thetransmission of said transaction data depends on whether or not approvalis received from said one or more approvers.
 529. The method of claim528 wherein said analysing step includes identifying said transactiondata that needs approval by determining the nature of said transactiondata and checking said rules of said policy data, said rules of saidpolicy data defining whether or not approval is needed in dependence onthe determined nature of said transaction data.
 530. The method of claim528 wherein said analysing step includes determining the nature of saidtransaction data by identifying at least one of the identity of thetransmitter of said data, the identity of the intended recipient of saiddata, the workstation from which said data is to be transmitted, the sumfor which a transaction is to be made, and the account from which atransaction is to be made.
 531. The method of claim 528 comprisingrecording said data that may be part of a transaction, and transmittingthis to said one or more approvers for review when deciding whether togive approval or not.
 532. The method of claim 528 wherein saidanalysing step includes determining the nature of said transaction datathat needs approval and selecting said one of said one or more approversin dependence on that determination.
 533. The method of claim 532wherein said analysing step includes determining the nature of saidtransaction data that needs approval by identifying at least one of theidentity of the transmitter of said data, the identity of the intendedrecipient of said data, the work station from which said data is to betransmitted, the sum for which a transaction is to be made, and theaccount from which the transaction is to be made.
 534. The method ofclaim 526 wherein said analysing step includes determining whether asecure link has been negotiated between said application and a remotesite on said network, and identifying said outbound data or said inbounddata as transaction data, if it is transmitted on a secure link. 535.The method of claim 534 wherein said network is the Internet, and saidrules of said policy data define the addresses of web sites or e-mailaccounts that negotiate secure links for the transmission of data butwhich are known not to be eCommerce sites or accounts, and saidanalysing step includes disregarding said outbound data transmitted tothose web sites or accounts or said inbound data received from those websites or accounts, such that no approval is required.
 536. The method ofclaim 526 wherein said analysing step includes identifying transactiondata by reference to said rules of said policy data, said rules of saidpolicy data defining the addresses of known eCommerce web sites ande-mail accounts.
 537. The method of claim 526 wherein said analysingstep includes identifying credit card numbers in said outbound data orsaid inbound data, and identifying outbound data or inbound data thatcontains a credit card number as transaction data.
 538. The method ofclaim 537 wherein said policy data specifies pre-determined credit cardnumbers that can never be transmitted.
 539. The method of claim 526wherein said analysing step includes identifying transaction data byreference to said rules of said policy data, said rules of said policydata defining one or more of pre-determined digital certificates,account codes, pre-determined keywords, pre-determined names andaddresses and embedded codes.
 540. The method of claim 526 wherein saidanalysing step includes detecting an embedded code in said inbound data,said embedded code having been placed in said inbound data to mark saidinbound data as transaction data.
 541. The method of claim 526 furthercomprising the step of providing a user of said,application with aselector to indicate said outbound and said inbound data that is part ofa transaction, said analysing step including identifying selectedoutbound and inbound data.
 542. The method of claim 526 wherein saidanalysing step is performed at said one or more workstations.
 543. Themethod of claim 526 wherein said application is a web browser.
 544. Themethod of claim 543 wherein said analysing step is a plug-in module ofsaid web browser.
 545. The method of claim 544 wherein said web browseris Microsoft's Internet Explorer and said plug-in module is a BrowserHelper Object.
 546. The method of claim 526 wherein said application isan e-mail client.
 547. The method of claim 546 wherein said analysingstep is performed by a plug-in module of said e-mail client.
 548. Themethod of claim 547 wherein said e-mail client is Microsoft's Outlooke-mail client and said analysing means is a Microsoft Exchange clientextension.
 549. The method of claim 526 wherein said application is anInstant messaging application.
 550. The method of claim 549 wherein saidanalyser is a plug-in of said Instant messaging application.
 551. Themethod of claim 526 wherein said network comprises a server and saidanalysing means is located at a point on said network intermediate saidone or more workstations and said'server, or said analysing means islocated at said server.
 552. The method of claim 526 wherein saidcomputer network to which said one or more workstations are adapted forconnection is a public computer network, and wherein said one or moreworkstations together form a private computer network.
 553. The methodof claim 526 further comprising the step of providing a supervisorworkstation, said policy data being accessible by said supervisorworkstation, such that a user of said supervisor workstation can editsaid policy data.
 554. A computer program product, for controlling acomputer to manage information, said computer being connected to apublic network and having access to policy data containing rules for thetransmission to the public network of outbound data that may be part ofa transaction, comprising: a recording medium readable by the computer,having program code recorded thereon which when executed on saidcomputer configures the computer to: analyse, in conjunction with anapplication running on the computer that is operable to transmitoutbound data to the public network and receive inbound data from thepublic network, at least said outbound data to identify, with referenceto said rules of said policy data, transaction data that may be part ofa transaction to determine, in accordance with said rules of said policydata, whether the transmission of said transaction data would satisfysaid rules; and to control the computer to control the transmission ofsaid transaction data by said application in dependence on thedetermination made by said analysing means.
 555. The computer programproduct of claim 554 wherein said program code when executed on saidcomputer is operable to control the computer such that said transactiondata is either, transmitted, not transmitted, or sent to an approver whodetermines whether or not to transmit the transaction data.
 556. Thecomputer program product of claim 555 wherein the program code whenexecuted on said computer is further operable to identify in said datathat may be part of a transaction, data that needs approval; refer saiddata that needs approval to one or more approvers for approval, andmonitor whether or not approval is received from said one or moreapprovers; and wherein the transmission of said transaction data by saidapplication depends on whether or not approval is received from said oneor more approvers;
 557. The computer program product of claim 556wherein said program code when executed on said computer is furtheroperable to identify said transaction data that needs approval bydetermining the nature of said transaction data and checking said rulesof said policy data, said rules of said policy data defining whether ornot approval is needed in dependence on the determined nature of saidtransaction data.
 558. The computer program product of claim 556 whereinsaid program code when executed on said computer is further operable todetermine the nature of said transaction data by identifying at leastone of the identity of the transmitter of said data, the identity of theintended recipient of said data, the computer in the private networkfrom which said data is to be transmitted, the sum for which atransaction is to be made, and the account from which a transaction isto be made.
 559. The computer program product of claim 556 wherein saidprogram code when executed on said computer is further operable torecord said data that may be part of a transaction, and cause this to betransmitted to said one or more approvers for their review when decidingwhether to give approval or not.
 560. The computer program product ofclaim 556 wherein said program code when executed on said computer isfurther operable to determine the nature of said transaction data thatneeds approval and select said one of said one or more approvers independence on that determination.
 561. The computer program product ofclaim 560 wherein said program code when executed on said computer isoperable to determine the nature of said transaction data that needsapproval by identifying at least one of the identity of the transmitterof said data, the identity of the intended recipient of said data, thecomputer in the private network from which said data is to betransmitted, the sum for which a transaction is to be made, and theaccount from which the transaction is to be made.
 562. The computerprogram product of claim 554 wherein said program code when executed onsaid computer is operable to determine whether a secure link has beennegotiated between said application and a remote site on said publicnetwork, and to identify said outbound data or said inbound data astransaction data, if it is transmitted on a secure link.
 563. Thecomputer program product of claim 562 wherein said public network is theInternet, and said rules of said policy data define the addresses of websites or e-mail accounts that negotiate secure links for thetransmission of data but which are known not to be eCommerce sites oraccounts, and said program code when executed on said computer isoperable to disregard said outbound data transmitted to those web sitesor accounts or said inbound data received from those web sites oraccounts, such that no approval is required.
 564. The computer programproduct of claim 554 wherein said program code when executed on saidcomputer is operable to identify transaction data by reference to saidrules of said policy data, said rules of said policy data defining theaddresses of known eCommerce web sites and the e-mail accounts.
 565. Thecomputer program product of claim 554 wherein said program code whenexecuted on said computer is operable to identify credit card numbers insaid outbound data or said inbound data, and to identify outbound dataor inbound data that contains a credit card number as transaction data.566. The computer program product of claim 565 wherein said policy dataspecifies pre-determined credit card numbers that can never betransmitted.
 567. The computer program product of claim 554 wherein saidprogram code when executed on said computer is operable to identifytransaction data by reference to said rules of said policy data, saidrules of said policy data defining one or more of pre-determined digitalcertificates, account codes, pre-determined keywords, pre-determinednames and addresses and embedded codes.
 568. The computer programproduct of claim 554 wherein said program code when executed on saidcomputer is operable to detect an embedded code in said inbound data,said embedded code having been placed in said inbound data to mark saidinbound data as transaction data.
 569. The computer program product ofclaim 554 further comprising, a selector, recorded on said recordingmedium, said selector being operable to select data in said outbound andsaid inbound data that is part of a transaction in response to inputfrom a user, said program code when executed on said computer beingoperable to identify said outbound and said inbound data so selected.570. The computer program product of claim 554 wherein said program codeis executable at said computer.
 571. The computer program product ofclaim 554 wherein said application is a web browser.
 572. The computerprogram product of claim 571 wherein said program code when executed onsaid computer is a plug-in module of said web browser.
 573. The computerprogram product of claim 572 wherein said web browser is Microsoft'sInternet Explorer and said plug-in module is a Browser Helper Object.574. The computer program product of claim 554 wherein said applicationis an e-mail client.
 575. The computer program product of claim 574wherein said program code when executed on said computer is a plug-inmodule of said e-mail client.
 576. The computer program product of claim575 wherein said e-mail client is Microsoft's Outlook e-mail client andsaid plug-in module is a Microsoft Exchange client extension.
 577. Thecomputer software product of claim 554 wherein said application is anInstant messaging application.
 578. The computer software product ofclaim 577 wherein said program code when executed on said computer is aplug-in of said Instant messaging application.
 579. The computer programproduct of claim 554 wherein said public network includes a server andsaid program code is executable at a point on said network intermediatesaid computer and said server, or said program code is executable atsaid server.
 580. An information management system comprising: one ormore workstations adapted for connection to a computer network, eachworkstation having a memory; an application stored in said memory ofeach workstation for receiving at least inbound data from said network;and analyser, said analyser being operable in conjunction with saidapplication to monitor said inbound data and to identify in at leastsaid inbound data, signed data that has been digitally signed with adigital certificate, to extract one or more details of said signed dataand to determine whether or not verification is required for saiddigital certificate; policy data, accessible by said analyser,containing rules which define whether or not verification is requiredfor said digital certificate; and wherein said analyser determineswhether or not verification is required for said digital certificate independence on said rules of said policy data and in dependence on saidone or more details of said signed data extracted by said analyser. 582.The system of claim 580 wherein said verification for said digitalcertificate includes determining whether said digital certificate hasbeen revoked.
 583. The system of claim 582 wherein said analyser isfurther operable to determine whether said signed data is part of aneCommerce transaction, and if it is, to determine the amount of moneythat is promised in that eCommerce transaction, wherein saidverification for the digital certificate also includes determiningwhether said digital certificate can be taken as a guarantee ofreceiving the amount of money promised in said eCommerce transaction.584. The system of claim 580 wherein said analyser is operable toextract as one or more details of said signed data, one or more of saiddigital certificate holder's identity, the expiry date of said digitalcertificate, the issue number of said digital certificate, and thedomain name from which the signed data was received, and wherein saidrules of said policy file define whether or not verification for saiddigital certificate is required in dependence on the one or more detailsextracted by said analyser.
 585. The system of claim 580 wherein saidanalyser is operable to determine whether or not an eCommercetransaction is occurring, and to extract, as one or more details of saidsigned data, the amount of any transaction being made with said digitalcertificate, the account code from which any payment is being made, acredit card number, one or more indicators of the nature of thetransaction, and wherein said rules of said policy file define whetheror not verification is required for a digital certificate in dependenceon the one or more details extracted by said analyser.
 586. The systemof claim 585 further comprising a data repository in which, digitalcertificates used to digitally sign any previously received signed dataor sufficient descriptive data to identify any such digitalcertificates, and transaction data describing any previous transactionsmade with those digital certificates are stored, said transaction databeing at least one or more of the date of any previous transactions madewith a digital certificate, and the amount of any previous transactionmade with that digital certificate, and wherein said rules of saidpolicy file define whether or not verification for said digitalcertificate is required in dependence on said transaction data.
 587. Thesystem of claim 580 further comprising a data repository, accessible bysaid analyser wherein said analyser is operable to identify any digitalcertificates that are used to digitally sign signed data in at leastsaid inbound data, and to cause any such digital certificates, orsufficient descriptive data to identify such digital certificates to bestored in said data repository.
 588. The system of claim 587 whereinsaid analyser is operable, to record the results of any verification foran digital certificate in said data repository together with saiddigital certificate or together with said descriptive data.
 589. Thesystem of claim 588 wherein said analyser is operable, if it identifiesa digital certificate in said inbound data, to determine whether saiddigital certificate has been previously stored in said data repository,or whether said descriptive information identifying said digitalcertificate has been stored in said data repository, and if said digitalcertificate has been previously stored, to look-up the results of anyprevious verification of whether said digital certificate has beenrevoked, wherein said analyser determines whether or not to verify ifsaid digital certificate has been revoked in dependence on said resultsof any previous verification of whether said identified digitalcertificate has been revoked.
 590. The system of claim 580 wherein saidanalyser is further operable to verify whether or not a digitalcertificate has been revoked, and wherein said application is operableto prevent said inbound data being viewed by a user of said applicationif said analyser determines that said digital certificate has beenrevoked.
 591. The system of claim 580 wherein said analyser is furtheroperable to verify whether or not a digital certificate has beenrevoked, and said application is operable to notify a user of saidapplication that said inbound data is not to be relied upon if saidanalyser determines that said digital certificate has been revoked. 592.The system of claim 580 wherein said analyser is located on each of saidone or more workstations.
 593. The system of claim 580 wherein saidapplication is a web browser.
 594. The system of claim 593 wherein saidanalyser is plug-in module of said web browser.
 595. The system of claim594 wherein said web browser is Microsoft's Internet Explorer and saidanalyser is a Browser Helper Object.
 596. The system of claim 580wherein said application is an e-mail client.
 597. The system of claim596 wherein said analyser is a plug in module of said e-mail client.598. The system of claim 597 wherein said e-mail client is Microsoft'sOutlook e-mail client and said analyser is a Microsoft client extension.599. The system of claim 580 wherein said application is an Instantmessaging application.
 600. The system of claim 599 wherein saidanalyser is a plug-in of said Instant messaging application.
 601. Thesystem of 580 wherein said network comprises a server, and said analyseris located at a point on said network intermediate said one or moreworkstations and said server, or said analyser is located at saidserver.
 602. The system of claim 580 wherein said computer network towhich said one or more workstations are adapted for connection is apublic computer network, and wherein said one or more workstationstogether form a private computer network.
 603. The system of claim 580further comprising a supervisor workstation, said policy data beingaccessible by said supervisor workstation, such that a user of saidsupervisor workstation can edit said policy data.
 604. An informationmanagement system comprising: one or more workstations adapted forconnection to a computer network, each workstation having a memory;application means, stored in said memory of each workstation, forreceiving at least inbound data from said network; analysing means,being operable in conjunction with said application means, formonitoring said inbound data to identify in at least said inbound datasigned data that has been digitally signed with a digital certificate,for extracting one or more details of said signed data and fordetermining whether or not verification is required for said digitalcertificate; policy storage means, accessible by said analysing means,for storing policy data containing rules which define whether or notverification is required for said digital certificate; and wherein saidanalysing means determines whether or not verification is required forsaid digital certificate independence on said rules of said policy dataand in dependence on said one or more details of said signed dataextracted by said analysing means.
 605. The system of claim 604 whereinsaid verification for said digital certificate includes determiningwhether said digital certificate has been revoked.
 606. The system ofclaim 605 wherein said analysing means is further operable to determinewhether said signed data is part of an eCommerce transaction, and if itis, to determine the amount of money that is promised in that eCommercetransaction, wherein said verification for the digital certificate alsoincludes determining whether said digital certificate can betaken as aguarantee of receiving the amount of money promised in said eCommercetransaction.
 607. The system of claim 604 wherein said analysing meansis operable to extract as one or more details of said signed data, oneor more of said digital certificate holder's identity, the expiry dateof said digital certificate, the issue number of said digitalcertificate, and the domain name from which the signed data wasreceived, and wherein said rules of said policy file define whether ornot verification for said digital certificate is required in dependenceon the one or more details extracted by said analysing means.
 608. Thesystem of claim 604 wherein said analysing means is operable todetermine whether or not an eCommerce transaction is occurring, and toextract, as one or more details of said signed data, the amount of anytransaction being made with said digital certificate, the account codefrom which any payment is being made, a credit card number, one or moreindicators of the nature of the transaction, and wherein said rules ofsaid policy file define whether or not verification is required for adigital certificate independence on the one or more details extracted bysaid analysing means.
 609. The system of claim 608 further comprising adata repository in which, digital certificates used to digitally signany previously received signed data or sufficient descriptive data toidentify any such digital certificates, and transaction data describingany previous transactions made with those digital certificates arestored, said transaction data being at least one or more of the date ofany previous transactions made with a digital certificate, and theamount of any previous transaction made with that digital certificate,and wherein said rules of said policy file define whether or notverification for said digital certificate is required in dependence onsaid transaction data.
 610. The system of claim 604 further comprising adata repository, accessible by said analysing means, wherein saidanalysing means is operable to identify any digital certificates thatare used to digitally sign signed data in at least said inbound data,and to cause any such digital certificates, or sufficient descriptivedata to identify such digital certificates to be stored in said datarepository.
 611. The system of claim 610 wherein said analysing means isoperable, to record the results of any verification for an digitalcertificate in said data repository together with said digitalcertificate or together with said descriptive data.
 612. The system ofclaim 611 wherein said analysing means is, operable, if it identifies adigital certificate in said inbound data, to determine whether saiddigital certificate has been previously stored in said data repository,or whether said descriptive information identifying said digitalcertificate has been stored in said data repository, and if said digitalcertificate has been previously stored, to look-up the results of anyprevious verification of whether said digital certificate has beenrevoked, wherein said analysing means determines whether or not toverify if said digital certificate has been revoked in dependence onsaid results of any previous verification of whether said identifieddigital certificate has been revoked.
 613. The system of claim 604wherein said analysing means is further operable to verify whether ornot a digital certificate has been revoked, and wherein said applicationmeans is operable to prevent said inbound data being viewed by a user ofsaid application means if said analysing means determines that saiddigital certificate has been revoked.
 614. The system of claim 604wherein said analysing means is further operable to verify whether ornot a digital certificate has been revoked, and said application meansis operable to notify a user of said application means that said inbounddata is not to be relied upon if said analysing means determines thatsaid digital certificate has been revoked.
 615. The system of claim 604wherein said analysing means is located on each of said one or moreworkstations.
 616. The system of claim 604 wherein said applicationmeans is a web browser.
 617. The system of claim 616 wherein saidanalysing means is a plug-in module of said web browser.
 618. The systemof claim 617 wherein said web browser is Microsoft is Internet Explorerand said analysing means is a Browser Helper Object.
 619. The system ofclaim 604 wherein said application means is an e-mail client.
 620. Thesystem of claim 619 wherein said analysing means is a plug-in module ofsaid e-mail client.
 621. The system of claim 620 wherein said e-mailclient is Microsoft's Outlook e-mail client and said analysing means isa Microsoft client extension.
 622. The system of claim 604 wherein saidapplication is an Instant messaging application.
 623. The system ofclaim 622 wherein said analyser is a plug-in of said Instant messagingapplication.
 624. The system of 604 wherein said network comprises aserver, and said analysing means is located at a point on said networkintermediate said one or more workstations and said server, or saidanalysing means is located at said server.
 625. The system of claim 604wherein said computer network to which said one or more workstations areadapted for connection is a public computer network, and wherein saidone or more workstations together form a private computer network. 625.The system of claim 604 further comprising a supervisor workstation,said policy data being accessible by said supervisor workstation, suchthat a user of said supervisor workstation can edit said policy data.626. A method of managing information comprising the steps of: providingone or more workstations adapted for connection to a computer network,each workstation having a memory; providing an application stored insaid memory of each workstation for receiving at least inbound data fromsaid network; providing policy data, containing rules which definewhether or not verification is required for a digital certificates usedto digitally sign signed data received in said inbound data; identifyingin at least said inbound data, signed data that has been digitallysigned with a digital certificate; extracting one or more details ofsaid signed data; and determining whether or not verification isrequired for said digital certificate in dependence on said rules ofsaid policy data and in dependence on said one or more details of saidsigned data extracted in said extracting step.
 627. The method of claim626 wherein said verification for the digital cetificate includesdetermining whether the digital certificate has been revoked.
 628. Themethod of claim 627 further comprising the step of determining whethersaid signed data is part of an eCommerce transaction, and if it is,determining the amount of money that is promised in that eCommercetransaction, wherein said verification for the digital certificate alsoincludes determining whether said digital certificate can be taken as aguarantee of receiving the amount of money promised in said eCommercetransaction.
 629. The method of claim 626 wherein said one or moredetails of said signed data extracted in said extracting step, includeone or more of said digital certificate holder's identity, the expirydate of said digital certificate, the issue number of said digitalcertificate; and the domain name from which the signed data wasreceived, and wherein said rules of said policy file define whether ornot verification for said digital certificate is required in dependenceon the one or more details.
 630. The method of claim 626 furthercomprising the step of determining whether or not an eCommercetransaction is occurring, and if it is, extracting in said extractingstep, as one or more details of said inbound data, the amount of anytransaction being made with said digital certificate, the account codefrom which any payment is being made, a credit card number, one or moreindicators of the nature of the transaction, and wherein said rules ofsaid policy file define whether or not verification is required for adigital certificate in dependence on said one or more details.
 631. Themethod of claim 630 further comprising the step of providing a datarepository in which digital certificates used to digitally sign anypreviously received signed data or sufficient descriptive data toidentify any such digital certificates, and transaction data describingany previous transactions made with those digital certificates arestored; said transaction data being at least one or more of the date ofany transactions made with a digital certificate, and the amount of anytransaction made with that digital certificate, and wherein said rulesof said policy file define whether or not verification for said digitalcertificate is required in dependence on said transaction data.
 632. Themethod of claim 626 further comprising the steps of identifying digitalcertificates used to sign signed data in said inbound data or digitalcertificates transmitted in said inbound data and storing said digitalcertificates or sufficient descriptive data to identify said digitalcertificates in said data repository.
 633. The method of claim 632further comprising the steps of recording the results of anyverification for a digital certificate in said data repository togetherwith said digital certificate.
 634. The method of claim 633 furthercomprising the step of determining whether said digital certificate hasbeen previously stored in said data repository, and if it has beenpreviously stored, to look-up the results of any previous verificationfor said digital certificate, wherein said step of determining whetheror not verification is required for said digital certificate isdependent on said results of any previous verification for said digitalcertificate.
 635. The method of claim 626 further comprising the stepsof determining whether or not a digital certificate has been revoked,and preventing said inbound data being viewed by a user of saidapplication if said identified digital certificate has been revoked.636. The method of claim 626 further comprising the steps of determiningwhether or not a digital certificate has been revoked, and notifying auser of said application that said inbound data is not to be relied uponif said digital certificate has been revoked.
 637. The method of claim626 wherein said steps of identifying a digital certificate, extractingone or more details from said signed data and determining whether or notverification is required are performed at said one or more workstations.638. The method of claim 626 wherein said application is a web browser.639. The method of claim 638 wherein said steps of identifying a digitalcertificate, extracting one or more details from said signed data anddetermining whether or not verification is required are performed by aplug-in module of said web browser.
 640. The method of claim 639 whereinsaid web browser is Microsoft's Internet Explorer and said plug-inmodule is a Browser Helper Object.
 641. The method of claim 626 whereinsaid application is an e-mail client.
 642. The method of claim 641wherein said steps of identifying a digital certificate, extracting oneor more details from said signed data and determining whether or notverification is required are performed by a plug-in module of saide-mail client.
 643. The method of claim 642 wherein said e-mail clientis Microsoft's Outlook e-mail client and said plug-in module is aMicrosoft Exchange client extension.
 644. The method of claim 626wherein said application is an Instant messaging application.
 645. Themethod of claim 644 wherein said analyser is a plug-in of said Instantmessaging application.
 646. The method of claim 626 wherein said networkcomprises a server, and said steps of identifying a digital certificate,extracting one or more details from said signed data and determiningwhether or not verification is required are performed at a point on saidnetwork intermediate said one or more workstations and said server, orsaid steps of identifying a digital certificate, extracting one or moredetails from said signed data and determining whether or notverification is required are performed at said server.
 647. The methodof claim 626 wherein said computer network to which said one or moreworkstations are adapted for connection is a public computer network,and wherein said one or more-workstations together form a privatecomputer network.
 648. The method of claim 626 further comprisingproviding a supervisor workstation, said policy data being accessible bysaid supervisor workstation, such that a user of said supervisorworkstation can edit said policy data.
 649. A computer program productfor controlling a computer connected to a public network to manageinformation, said computer having access to policy data containing ruleswhich define whether or not verification is required for a digitalcertificate used to digitally sign signed data received in inbound datafrom the public network, comprising: a recordable medium readable by thecomputer, having program code recorded thereon which when executed onsaid computer configures said computer to: analyse in conjunction withan application running on the computer that is operable to receive atleast inbound data from the public network, signed data that has beendigitally signed with a digital certificate, to extract one or moredetails of said signed data; to determine whether or not verification isrequired for said digital certificate in dependence on said rules ofsaid policy data and in dependence on the one or more extracted detailsof said signed data; and to control the application in dependence on thedetermination.
 650. The computer program product of claim 649 whereinsaid verification for the digital certificate includes determiningwhether the digital certificate has been revoked.
 651. The computerprogram product of claim 650 wherein said program code when executed onsaid computer is further operable to determine whether said signed datais part of an eCommerce transaction, and if it is to determine theamount of money that is promised in that eCommerce transaction, whereinsaid verification for the digital certificate also includes determiningwhether said digital certificate can be taken as a guarantee ofreceiving the amount of money promised in said eCommerce transaction.652. The computer program product of claim 649 wherein said one or moredetails of said signed data, include one or more of said digitalcertificate holder's identity, the expiry date of said digitalcertificate, the issue number of said digital certificate, and thedomain name from which the signed data was received, and wherein saidrules of said policy file define whether or not verification for saiddigital certificate is required in dependence on the one or moredetails.
 653. The computer program product of claim 649 wherein saidprogram code when executed on said computer is further operable todetermine whether or not an eCommerce transaction is occurring, and ifit is, to extract as one or more details of said signed data, the amountof any transaction being made with said digital certificate, the accountcode from which any payment is being made, a credit card number, one ormore indicators of the nature of the transaction, and wherein said rulesof said policy file define whether or not verification is required forsaid digital certificate in dependence on said one or more details. 654.The computer program product of claim 653 wherein the program code whenexecuted on said computer is further operable to control the computer torecord digital certificates used to digitally sign any signed datareceived in said inbound data or sufficient descriptive data to identifyany such digital certificates, and transaction data describing anytransactions made with those digital certificates in a data repositorysuch that a record is maintained of transactions made with a digitalcertificate; said transaction data being, at least one or more of thedate of any transactions made with a digital certificate, and the amountof any transaction made with that digital certificate, and wherein saidrules of said policy file define whether or not verification for saiddigital certificate is required in dependence on said transaction data.655. The computer program product of claim 649 wherein said program codewhen executed on said computer is further operable to control thecomputer to store digital certificates used to sign signed data in saidinbound data or digital certificates transmitted in said inbound dataand storing said digital certificates or sufficient descriptive data toidentify said digital certificates in a data repository.
 656. Thecomputer program product of claim 655 wherein said program code whenexecuted on said computer is further operable control the computer torecord the results of any verification for an identified digitalcertificate in said data repository together with said identifieddigital certificate.
 657. The computer program product of claim 656where in said program code when executed on said computer is operable todetermine whether said identified digital certificate has beenpreviously stored in said data repository, and if it has been previouslystored, to look-up the results of any previous verification for saididentified digital certificate, wherein the determination of whether ornot verification is required for said identified digital certificate isdependent on said results of any previous verification for saididentified digital certificate.
 658. The computer program product ofclaim 649 wherein said program code when executed on said computer isoperable to determine whether or not a digital certificate has beenrevoked, and control said application to prevent said inbound data beingviewed by a user of said application if said identified digitalcertificate has been revoked.
 659. The computer program product of claim649 wherein said program code when executed on said computer is operableto determine whether or not a digital certificate has been revoked, andto control said application to notify a user of said application thatsaid inbound data is not to be relied upon if said identified digitalcertificate has been revoked.
 660. The computer program product of claim649 wherein said program code is executable at said computer.
 661. Thecomputer program product of claim 649 wherein said application is a webbrowser.
 662. The computer program product of claim 661 wherein saidprogram code when executed on said computer is a plug-in module of saidweb browser.
 663. The computer program product of claim 662 wherein saidweb browser is Microsoft's Internet Explorer and said plug-in module isa Browser-Helper Object.
 664. The computer program product of claim 649wherein said application is an e-mail client.
 665. The computer programproduct of claim 664 wherein said program code when executed on saidcomputer is a plug-in module of said e-mail client.
 666. The computerprogram product of claim 665 wherein said e-mail client is Microsoft'sOutlook e-mail client and said plug-in module is a Microsoft Exchangeclient extension.
 667. The computer software product of claim 649wherein said application is an Instant messaging application.
 668. Thecomputer software product of claim 667 wherein said program code whenexecuted on said computer is a plug-in of said Instant-messagingapplication.
 669. The computer program product of claim 649 wherein saidnetwork includes a server and said program code is executable at a pointon said network intermediate said computer and said server, or saidprogram code is executable at said server.
 670. An informationmanagement system comprising: one or more workstations adapted forconnection to a computer network, each workstation having a memory; anapplication stored in said memory of, each workstation for transmittingoutbound messages to said network and receiving inbound messages fromsaid network; policy data containing rules for determining one or moreparticulars of the outbound message, and for controlling thetransmission of said outbound message in dependence on thoseparticulars; and an analyser, said analyser being operable inconjunction with said policy data to determine one or more particularsof the outbound message and to selectively re-direct the outboundmessage to a third party instead of the originally intended recipient.671. The system of claim 670 wherein the analyser is operable tore-direct the outbound message to said third party if the message is tobe sent to one or more of a pre-determined list of recipients oraddresses.
 672. The system of claim 670 wherein said policy datacomprises a list of names of company employees who can use saidapplication to send outbound messages from and receive inbound messagesat a company address, and wherein the analyser is operable to re-directthe outbound message of any of said employees to said third party, if itdetermines that the intended address of the outbound message containsone of a pre-determined list of domain names, and if the intendedaddress comprises at least one of the surname, first names or initialsof the employee on said list of names.
 673. The system of claim 670wherein the analyser is operable to re-direct the outbound message tosaid third party if the message contains one or more pre-determinedkeywords or combination of keywords.
 674. The system of claim 670wherein the analyser is operable to re-direct the outbound message tosaid third party if the message or attachments to the message are to beencrypted before transmission.
 675. The system of claim 674 wherein theanalyser is operable to re-direct the message with its originalencryption key to the third patty, and wherein the third party has meansto approve the message for transmission to the originally intendedrecipient and re-encrypt the message with the original key.
 676. Thesystem of claim 674 wherein the analyser is operable to add text to themessage before it is re-directed indicating that it is a re-directedmessage.
 677. The system of claim 670 wherein the analyser is operableto re-direct the outbound message to said third party if the messagecontains attachments, or particular types of attachments.
 678. Thesystem of claim 670 wherein the analyser is operable to re-direct theoutbound message to said third party if the message contains attachmentsand if the body or the subject of the message contains less than apre-determined amount of text.
 679. The system of claim 670 wherein theanalyser is operable to re-direct the outbound message to said thirdparty in dependence on the identity of the author of the message. 680.The system of claim 670 wherein means are provided on the re-directedmessage received by the third party for the third party to approve themessage for transmission to the originally intended recipient.
 681. Thesystem of claim 670 wherein said analyser is located on each of said oneor more workstations.
 682. The system of claim 670 wherein saidapplication is a web browser.
 683. The system of claim 682 wherein saidanalyser is a plug-in module of said web browser.
 684. The system ofclaim 683 wherein said web browser is Microsoft's Internet Explorer andsaid, analyser is a Browser Helper Object.
 685. The system of claim 670wherein said application is an e-mail client.
 686. The system of claim685 wherein said analyser is a plug-in module of said e-mail client.687. The system of claim 686 wherein said e-mail client is Microsoft'sOutlook e-mail client and said analyser is a Microsoft Exchange clientextension.
 689. The system of claim 670 wherein said application is anInstant messaging application.
 690. The system of claim 689 wherein saidanalyser is a plug-in of said Instant messaging application.
 691. Thesystem of claim 690 wherein said application is a Voice Messagingapplication.
 692. The system of claim 691 wherein said analyser is aplug-in of said Voice messaging application.
 693. The system of claim670 wherein said network includes a server and said analyser is locatedat a point on said network intermediate said one or more workstationsand said server, or said analyser is located at said server.
 694. Aninformation management system comprising: one or more workstationsadapted for connection to a computer network, each workstation having amemory; an application stored in said memory of each workstation forreceiving inbound messages from said network and for transmitting areceived message as an outbound message to said network; policy datacontaining rules for determining one or more particulars of the outboundmessage, and for controlling the transmission of said outbound messagein dependence on those particulars; and an analyser, said analyser beingoperable in conjunction with said policy data to determine one or moreparticulars of the outbound message and to selectively prevent theoutbound message being forwarded to another recipient, or to issue awarning before a message is forwarded to another recipient, independence on the rules defined in said policy data.
 695. The system ofclaim 694 wherein the policy data defines one or more pre-determinedkeywords, and wherein if the analyser determines that the messagecontains one or more of the pre-determined keywords or combination ofkeywords, the message is prevented from being forwarded to anotherrecipient or a warning is issued before the message is forwarded. 696.The system of claim 694 wherein the analyser is operable to prevent amessage being forwarded to one or more of a pre-determined list ofaddresses, or to issue a warning before forwarding the message to one ormore of the pre-determined list of addresses.
 697. The system of claim694 wherein the analyser is operable to prevent a message beingforwarded to an address outside a pre-determined group of addresses, orto issue a warning before forwarding the message, if previously themessage has only been transmitted among the predetermined group ofaddresses.
 698. The system of claim 694 wherein the received message hasa one or more attributes configurable by the sender of the message, oneof those attributes being a “do-not-forward” attribute, and the analyseris operable to prevent a received message being forwarded as an outboundmessage if the sender of the received message set the “do-not-forward”attribute.
 699. The system of claim 694 wherein the analyser is operableto prevent forwarding of the message, or to issue a warning beforeforwarding the message, if the recipient forwarding the message was theonly recipient of the original message.
 700. The system of claim 694wherein the analyser is further operable to cause the outbound messagethat is to be forwarded to first be re-directed to a third party forapproval, wherein if the third party gives his approval, the outboundmessage is forwarded to the originally intended recipients in the normalway.
 701. The system of claim 694 wherein said analyser is located oneach of said one or more workstations.
 702. The system of claim 694wherein said application is a web browser.
 703. The system of claim 702wherein said analyser is a plug-in module of said web browser.
 704. Thesystem of claim 703 wherein said web browser is Microsoft's InternetExplorer and said analyser is a Browser Helper Object.
 705. The systemof claim 694 wherein said application is an e-mail client.
 706. Thesystem of claim 705 wherein said analyser is a plug-in module of saide-mail client.
 707. The system of claim 706 wherein said e-mail clientis Microsoft's Outlook e-mail client and said analyser is a MicrosoftExchange client extension.
 708. The system of claim 694 wherein saidapplication is an Instant messaging application.
 709. The system ofclaim 708 wherein said analyser is a plug-in of said Instant messagingapplication.
 710. The system of claim 694 wherein said application is aVoice Messaging application.
 711. The system of claim 710 wherein saidanalyser is a plug-in of said Voice messaging application.
 712. Thesystem of claim 694 wherein said network includes a server and saidanalyser is located at a point on said network intermediate said one ormore workstations and said server, or said analyser is located at saidserver.
 713. An information management system comprising: one or moreworkstations adapted for connection to a computer network, eachworkstation having a memory; an application stored in said memory ofeach workstation for transmitting outbound messages to said network andreceiving inbound messages from said network; policy data containingrules for determining one or more particulars of the outbound message,and for controlling the transmission of said outbound messageindependence on those particulars; and an analyser, said analyser beingoperable in conjunction with said policy data to determine one or moreparticulars of the outbound message and to either selectively requirethat the message be digitally signed before transmission, or to notifythe sender of the message that digitally signing is recommended, or torequire that a digitally signed message be transmitted withoutsignature, or to notify the sender of the message digitally signing isnot recommended.
 714. The system of claim 713 wherein whether themessage is required to be digitally signed, whether the digitally signedmessage is required to be transmitted without signature, whether it isrecommended that the message be digitally signed, or whether it isrecommended that the digitally signed message be transmitted withoutsignature, are dependent on the intended recipient or address of themessage.
 715. The system of claim 713 wherein whether the message isrequired to be digitally signed, whether the digitally signed message isrequired to be transmitted without signature, whether it is recommendedthat the message be digitally signed, or whether it is recommended thatthe digitally signed message be transmitted without signature, aredependent on whether the message contains one or more keywords, orcombination of keywords, in a pre-determined list of keywords.
 716. Thesystem of claim 713 wherein whether the message is required to bedigitally signed, whether the digitally signed message is required to betransmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the identity author of the outbound message.
 717. The system of claim713 wherein whether the digitally signed message is required to betransmitted without signature, or whether it is, recommended that thedigitally signed message be transmitted without signature, are dependenton the type of digital certificate or signing key used to digitally signthe message.
 718. The system of claim 713 wherein the analyser isoperable to determine what digital certificates, or signing keys, areavailable to digitally sign an outbound message, and wherein whether themessage is required to be digitally signed, whether the digitally-signedmessage is required to be transmitted without signature, whether it isrecommended that the message be digitally signed, or whether it isrecommended that the digitally signed message be transmitted withoutsignature, are dependent on the type of certificate or signing key usedto digitally sign the message, and on the types of digital certificateor signing key available to sign the message.
 719. The system of claim713 wherein the analyser is further operable to cause the outboundmessage that is to be forwarded to first be re-directed to a third partyfor approval, wherein if the third party gives his approval, theoutbound message is forwarded to the originally intended recipients inthe normal way.
 720. The system of claim 713 wherein said analyser islocated on each of said one or more workstations.
 721. The system ofclaim 713 wherein said application is a web browser.
 722. The system ofclaim 721 wherein said analyser is a plug-in module of said web browser.723. The system of claim 722 wherein said web browser is Microsoft'sInternet Explorer and said analyser is a Browser Helper Object.
 724. Thesystem of claim 713 wherein said application is an e-mail client. 725.The system of claim 724 wherein said analyser is a plug-in module ofsaid e-mail client.
 726. The system of claim 725 wherein said e-mailclient is Microsoft's Outlook e-mail client and said analyser is aMicrosoft Exchange client extension.
 727. The system of claim 713wherein said application is an Instant messaging application.
 728. Thesystem of claim 727 wherein said analyser is a plug-in of said Instantmessaging application.
 729. The system of claim 713 wherein saidapplication is a Voice Messaging application.
 730. The system of claim129 wherein said analyser is a plug-in of said Voice messagingapplication.
 731. The system of claim 713 wherein said network includesa server and said analyser is located at a point on said networkintermediate said one or more workstations and said server, or saidanalyser is located at said server.
 732. An information managementsystem comprising: one or more workstations adapted for connection to acomputer network, each workstation having a memory; an applicationstored in said memory of each workstation for transmitting outbound datato said network and receiving inbound data from said network; policydata containing rules for determining one or more particulars of theoutbound data, and for controlling the transmission of said outbounddata in dependence on those particulars; and an analyser, said analyserbeing operable in conjunction with said policy data to determine one ormore particulars of the outbound data and control the transmission ofsaid data according to said policy data.
 733. The system of claim 732wherein the analyser is operable to prevent outbound data beingtransmitted to a web site on the Internet, if it determines that the website is in a pre-determined list of prohibited web sites, and if it isdetermined that the outbound data contains one or more pre-determinedkeywords, or combinations of keywords.
 734. An information managementsystem comprising: one or more workstations adapted for connection to acomputer network, each workstation having a memory; application means,stored in said memory of each workstation, for transmitting outboundmessages to said network and receiving inbound messages from saidnetwork; policy storage means for storing policy data containing rulesfor determining one or more particulars of the outbound message, saidrules being for controlling the transmission of said outbound message independence on those particulars; and analysing means, operable inconjunction with said policy data, for determining one or moreparticulars of the outbound message and for selectively re-directing theoutbound message to a third party instead of the originally intendedrecipient.
 735. The system of claim 734 wherein the analysing means isoperable to re-direct the outbound message to said third party if themessage is to be sent to one or more of a predetermined list ofrecipients or addresses.
 736. The system of claim 734 wherein saidpolicy data comprises a list of names of company employees who can usesaid application means to send outbound messages from and receiveinbound messages at a company address, and wherein the analysing meansis operable to re-direct the outbound message of any of said employeesto said third party, if it determines that the intended address of theoutbound message contains one of a predetermined list of domain names,and if the intended address comprises at least one of the surname, firstnames or initials of an employee in said list of names.
 737. The systemof claim 734 wherein the analysing means is operable to re-direct theoutbound message to said third party if the message contains one or morepre-determined keywords or combination of keywords.
 738. The system ofclaim 734 wherein the analysing means is operable to re-direct theoutbound message to said third party if the message or attachments tothe message are to be encrypted before transmission.
 739. The system ofclaim 737 wherein the analysing means is operable to re-direct themessage with its original encryption key to the third party, and whereinthe third party has means to approve the message for transmission to theoriginally intended recipient and re-encrypt the message with theoriginal key.
 740. The system of claim 737 wherein the analysing meansis operable to add text to the message before it is re-directedindicating that it is a re-directed message.
 741. The system of claim734 wherein the analysing means is operable to re-direct the outboundmessage to said third party if the message contains attachments, orparticular types of attachments.
 742. The system of claim 734 whereinthe analysing means is operable to re-direct the outbound message tosaid third party if the message contains attachments and if the body orthe subject of the message contains less than a pre-determined amount oftext.
 743. The system of claim 734 wherein the analysing means isoperable to re-direct the outbound message to said third party independence on the identity of the author of the message.
 744. The systemof claim 734 wherein the third party has means to approve the messagefor transmission to the originally intended recipient.
 745. The systemof claim 734 wherein said analysing means is located on each of said oneor more workstations.
 746. The system of claim 734 wherein saidapplication means is a web browser.
 747. The system of claim 746 whereinsaid analysing means is a plug-in module of said web browser.
 748. Thesystem of claim 747 wherein said web browser is Microsoft's InternetExplorer and said analysing means is a Browser Helper Object.
 749. Thesystem of claim 734 wherein said application means is an e-mail client.750. The system of claim 749 wherein said analysing means is a plug-inmodule of said e-mail client.
 751. The system of claim 750 wherein saide-mail client is Microsoft's Outlook e-mail client and said analysingmeans is a Microsoft Exchange client extension.
 752. The system of claim734 wherein said application means is an Instant messaging application.753. The system of claim 752 wherein said analysing means is a plug-inof said Instant messaging application.
 754. The system of claim 734wherein said application means is a Voice Messaging application. 755.The system of claim 754 wherein said analysing means is a plug-in ofsaid Voice messaging application.
 756. The system of claim 734 whereinsaid network includes a server and said analysing means is located at apoint on said network intermediate said one or more workstations andsaid server, or said analysing means is located at said server.
 757. Aninformation management system comprising: one or more workstationsadapted for connection to a computer network, each workstation having amemory; application means, stored in said memory of each workstation,for receiving inbound messages from said network and for transmitting areceived message as an outbound message to said network; policy storagemeans for storing policy data containing rules for determining one ormore particulars of the outbound message, said rules being forcontrolling the transmission of said outbound message in dependence onthose particulars; and analysing means, operable in conjunction withsaid policy data, for determining one or more particulars of theoutbound message and for selectively preventing the outbound messagebeing forwarded to another recipient, or for issuing a warning before amessage is forwarded to another recipient, in dependence on the rulesdefined in said policy data.
 758. The system of claim 757 wherein thepolicy data defines one or more pre-determined keywords, and wherein ifthe analysing means determines that the message contains one or more ofthe pre-determined keywords or combination of keywords, the message isprevented from being forwarded to another recipient or a warning isissued before the message is forwarded.
 759. The system of claim 757wherein the analysing means is operable to prevent a message beingforwarded to one or more of a pre-determined list of addresses, or toissue a warning before forwarding the message to one or more of thepre-determined list of addresses.
 760. The system of claim 757 whereinthe analysing means is operable to prevent a message being forwarded toan address outside a pre-determined group of addresses, or to issue awarning before forwarding the message, if previously the message hasonly been transmitted among the pre-determined group of addresses. 761.The system of claim 757 wherein the received message has a one or moreattributes configurable by the sender of the message, one of thoseattributes being a “do-not-forward” attribute, and the analysing meansis operable to prevent a received message being forwarded as an outboundmessage if the sender of the received message set the “do-not-forward”attribute.
 762. The system of claim 757 wherein the analysing means isoperable to prevent forwarding of the message, or to issue a warningbefore forwarding the message, if the recipient forwarding the messagewas the only recipient of the original message.
 763. The system of claim757 wherein the analysing means is further operable to cause theoutbound message that is to be forwarded to first be re-directed to athird party for approval, wherein if the third party gives his approval,the outbound message is forwarded to the originally intended recipientsin the normal way.
 764. The system of claim 757 wherein said analysingmeans is located on each of said one or more workstations.
 765. Thesystem of claim 757 wherein said application means is a web browser.766. The system of claim 765 wherein said analysing means is a plug-inmodule of said web browser.
 767. The system of claim 766 wherein saidweb browser is Microsoft's Internet Explorer and said analysing means isa Browser Helper Object.
 768. The system of claim 757 wherein saidapplication means is an e-mail client.
 769. The system of claim 768wherein said analysing means is a plug-in module of said e-mail client.770. The system of claim 769 wherein said e-mail client is Microsoft'sOutlook e-mail client and said analysing means is a Microsoft Exchangeclient extension.
 771. The system of claim 757 wherein said applicationmeans is an Instant messaging application.
 772. The system of claim 771wherein said analysing means is a plug-in of said Instant messagingapplication.
 773. The system of claim 757 wherein said application meansis a Voice Messaging application.
 774. The system of claim 773 whereinsaid analysing means is a plug-in of said Voice messaging application.775. The system of claim 757 wherein said network includes a server andsaid analysing means is located at a point on said network intermediatesaid one or more workstations and said server, or said analysing meansis located at said server.
 776. An information management systemcomprising: one or more workstations adapted for connection to acomputer network, each workstation having a memory; application meansstored in said memory of each workstation for transmitting outboundmessages to said network and receiving inbound messages from saidnetwork; policy storage means for storing data containing rules fordetermining one or more particulars of the outbound message, said rulesbeing for controlling the transmission of said outbound message independence on those particulars; and analysing means, operable inconjunction with said policy data, for determining one or moreparticulars of the outbound message and for either selectively requiringthat the message be digitally signed before transmission or, fornotifying the sender of the message that digitally signing isrecommended, or for requiring that a digitally signed message betransmitted without signature; or notifying the sender of the messagethat not digitally signing the message is recommended.
 777. The systemof claim 776 wherein whether the message is required to be digitallysigned, whether the digitally signed message is required to betransmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the intended recipient or address of the message.
 778. The system ofclaim 776 wherein whether the message is required to be digitallysigned, whether the digitally signed message is required to betransmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton whether the message contains one or more keywords, or combination ofkeywords, in a pre-determined list of keywords.
 779. The system of claim776 wherein whether the message is required to be digitally signedwhether the digitally signed message is required to be transmittedwithout signature, whether it is recommended that the message bedigitally signed, or whether it is recommended that the digitally signedmessage be transmitted without signature, are dependent on the identityof the author of the outbound message.
 780. The system of claim 776wherein whether the digitally signed message is required to betransmitted without signature, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the type of digital certificate or signing key used to digitally signthe message.
 781. The system of claim 776, wherein the analysing meansis operable to determine what digital certificates, or signing keys, areavailable to digitally sign an outbound message, and wherein whether themessage is required to be digitally signed, whether the digitally signedmessage is required to be transmitted without signature, whether it isrecommended that the message be digitally signed, or whether it isrecommended that the digitally signed message be transmitted withoutsignature, are dependent on the type of certificate or signing key usedto digitally sign the message, and on the types of digital certificateor signing key available to sign the message.
 782. The system of claim776 wherein the analysing means is further operable to cause theoutbound message that is to be forwarded to first be re-directed to athird party for approval, wherein if the third party gives his approval,the outbound message is forwarded to the originally intended recipientsin the normal way.
 783. The system of claim 776 wherein said analysingmeans is located on each of said one or more workstations.
 784. Thesystem of claim 776 wherein said application means is a web browser.785. The system of claim 784 wherein said analysing means is a plug-inmodule of said web browser.
 786. The system of claim 785 wherein saidweb browser is Microsoft's Internet Explorer and said analysing means isa Browser Helper Object.
 787. The system of claim 776 wherein saidapplication means is an e-mail client.
 789. The system of claim 787wherein said analysing means is a plug-in module of said e-mail client.790. The system of claim 789 wherein said e-mail client is Microsoft'sOutlook e-mail client and said analysing means is a Microsoft Exchangeclient extension.
 791. The system of claim 776 wherein said applicationmeans is an Instant messaging application.
 792. The system of claim 791wherein said analysing means is a plug-in of said Instant messagingapplication.
 793. The system of claim 776 wherein said application meansis a Voice Messaging application.
 794. The system of claim 793 whereinsaid analysing means is a plug-in of said Voice messaging application.795. The system of claim 776 wherein said network includes a server andsaid analysing means is located at a point on said network intermediatesaid one or more workstations and said server, or said analysing meansis located at said server.
 796. An information management systemcomprising: one or more workstations adapted for connection to acomputer network, each workstation having a memory; application meansstored in said memory of each workstation for transmitting outbound datato said network and receiving inbound data from said network; policystorage means for storing data containing rules for determining one ormore particulars of the outbound data, said rules being for controllingthe transmission of said outbound data in dependence on thoseparticulars; and analysing means, operable in conjunction with saidpolicy data, for determining one or more particulars of the outbounddata and controlling the transmission of said outbound data according tosaid policy data.
 797. The system of claim 796 wherein the analysingmeans is operable to prevent outbound data being transmitted to a website on the Internet, if it determines that the web site is in apre-determined list of prohibited web sites, and if it is determinedthat the outbound data contains one or more predetermined keywords, orcombinations of keywords.
 798. A method of managing informationcomprising the steps of: providing one or more workstations adapted forconnection to a computer network, each workstation having a memory;providing an application stored in said memory of each workstation fortransmitting outbound messages to said network and receiving inboundmessages from said network; providing policy data containing rules fordetermining one or more particulars of the outbound message, and forcontrolling the transmission of said outbound message in dependence onthose particulars; and analysing said outbound message to determine, inconjunction with said policy data, said one or more particulars; andselectively re-directing the outbound message to a third party insteadof the originally intended recipient in dependence on said one or moreparticulars.
 799. The method of claim 798 wherein the outbound messageis re-directed to said third party if the message is to be sent to oneor more of a pre-determined list of recipients or addresses.
 800. Themethod of claim 798 wherein said policy data comprises a list of namesof company employees who can use said application to send outboundmessages from and receive inbound messages at a company address, andwherein the outbound message of any of said employees is re-directed tosaid third party, if it is determined in the analysing step that theintended address of the outbound message contains one of a predeterminedlist of domain names, and if the intended address comprises at least oneof the surname, first names or initials of an employee in said list ofnames.
 801. The method of claim 798 wherein the outbound message isre-directed to said third party if the message contains one or morepre-determined keywords or combination of keywords.
 802. The method ofclaim 798 wherein the outbound message is re-directed to said thirdparty if the message or attachments to the message are to be encryptedbefore transmission.
 803. The method of claim 802 comprising the stepsof: re-directing the outbound message with its original encryption keyto the third party, and providing means for the third party to approvethe message for transmission to the originally intended recipient andre-encrypt the message with the original key.
 804. The method of claim802 comprising adding text to the message before it is re-directedindicating that it is are directed message.
 805. The method of claim 798wherein the outbound message is re-directed to said third party if themessage contain attachments, or particular types of attachments. 806.The method of claim 798 wherein the outbound message is re-directed tosaid third party if the message contains attachments and if the body orthe subject of the message contains less than a pre-determined amount oftext.
 807. The method of claim 798 wherein the outbound message isre-directed to said third party in dependence on the identity of theauthor of the message.
 808. The method of claim 798 comprising providingmeans for the third party to approve the message for transmission to theoriginally intended recipient.
 809. The method of claim 798 wherein saidanalysing step is performed at each of said one or more workstations.810. The method of claim 798 wherein said application is a web browser.811. The method of claim 810 wherein said analysing step is performed bya plug-in module of said web browser.
 812. The method of claim 811wherein said web browser is Microsoft's Internet Explorer and saidplug-in module is a Browser Helper Object.
 813. The method of claim 798wherein said application is an e-mail client.
 814. The method of claim813 wherein said analysing step is performed by a plug-in module of saide-mail client.
 815. The method of claim 814 wherein said e-mail clientis Microsoft outlook e-mail client and said plug-in module is aMicrosoft Exchange client extension.
 816. The method of claim 798wherein said application is an Instant-messaging application.
 817. Themethod of claim 816 wherein said analysing step is performed by aplug-in of said Instant messaging application.
 818. The method of claim798 wherein said application is a Voice Messaging application.
 819. Themethod of claim 818 wherein said analysing step is performed by aplug-in of said Voice messaging application.
 820. The system of claim798 wherein said network includes a server and said analysing step isperformed at a point on said network intermediate said one or moreworkstations and said server, or is performed at said server.
 821. Amethod of managing information comprising the steps of: providing one ormore workstations adapted for connection to a computer network, eachworkstation having a memory; providing an application stored in saidmemory of each workstation for receiving inbound messages from saidnetwork and for transmitting a received message as an outbound messageto said network; providing policy data containing rules for determiningone or more particulars of the outbound message, and for controlling thetransmission of said outbound message in dependence on thoseparticulars; and analysing said outbound message in conjunction withsaid policy data, to determine one or more particulars of said outboundmessage; and selectively preventing the outbound message being forwardedto another recipient, or issuing a warning before the outbound messageis forwarded to another recipient, in dependence on the rules defined insaid policy data and in dependence on said one or more particulars. 822.The method of claim 821 wherein the policy data defines one or morepre-determined keywords, and wherein if it is determined in theanalysing step that the message contains one or more of thepre-determined keywords or combination of keywords, the message isprevented from being forwarded to another recipient or a warning isissued before the message is forwarded.
 823. The method of claim 821wherein the outbound message is prevented from being forwarded, or awarning is issued before forwarding the outbound message, if it isdetermined that the outbound message is to be forwarded to one or moreof a predetermined list of addresses.
 824. The method of claim 821wherein the outbound message is prevented from being forwarded, or awarning is issued before forwarding the outbound message, if it isdetermined that the outbound message is to be forwarded to an addressoutside a pre-determined group of addresses, and that previously themessage has only been transmitted among that pre-determined group ofaddresses.
 825. The method of claim 821 wherein the received message hasone or more attributes configurable by the sender of the message, one ofthose attributes being a “do-not-forward” attribute, and the outboundmessage is prevented from being forwarded, if it is determined that thesender of the received message set the “do-not-forward” attribute. 826.The method of claim 821 wherein the outbound message is prevented frombeing forwarded, or a warning is issued before forwarding the outboundmessage, if it is determined that the recipient forwarding, the outboundmessage was the only recipient of the received message.
 827. The methodof claim 821 comprising causing the outbound message that is to beforwarded to first be re-directed to a third party for approval, whereinif the third party gives his approval, the outbound message is forwardedto the originally intended recipients in the normal way.
 828. The methodof claim 821 wherein said analysing step is performed at each of saidone or more workstations.
 829. The method of claim 821 wherein saidapplication is a web browser.
 830. The method of claim 829 wherein saidanalysing step is performed by a plug-in module of said web browser.831. The method of claim 830 wherein said web browser is Microsoft'sInternet Explorer and said plug-in module is a Browser Helper Object.832. The method of claim 831 wherein said application is an e-mailclient.
 833. The method of claim 832 wherein said analysing step isperformed by a plug-in module of said e-mail client.
 834. The method ofclaim 834 wherein said e-mail client is Microsoft's Outlook e-mailclient and said plug-in module is a Microsoft Exchange client extension.835. The method of claim 821 wherein said application is an Instantmessaging application.
 836. The method of claim 835 wherein saidanalysing step is performed by a plug-in of said Instant messagingapplication.
 837. The method of claim 821 wherein said application is aVoice Messaging application.
 838. The method of claim 837 wherein saidanalysing step is performed by a plug-in of said Voice messagingapplication.
 839. The method of claim 821 wherein said network includesa server and said analysing step is performed at a point on said networkintermediate said one or more workstations and said server, or isperformed at said server.
 840. A method of managing informationcomprising the steps of providing one or more workstations adapted forconnection to a computer network, each workstation having a memory;providing an application stored in said memory of each workstation fortransmitting outbound messages to said network and receiving inboundmessages from said network; providing policy data containing rules fordetermining one or more particulars of the outbound message, and forcontrolling the transmission of said outbound message in dependence onthose particulars; analysing, in conjunction with said policy data saidoutbound messages, to determine one or more particulars of said outboundmessages, in particular, whether said outbound message is digitallysigned; and either selectively requiring that the outbound message bedigitally signed before transmission, or that the outbound message, ifdigitally signed, not be digitally signed; or notifying the sender ofthe message that digitally signing is recommended, or is notrecommended.
 841. The method of claim 840 wherein whether the message isrequired to be digitally signed, whether the digitally signed message isrequired to be transmitted without signature, whether it is recommendedthat the message be digitally signed, or whether it is recommended thatthe digitally signed message be transmitted without signature aredependent on the intended recipient or address of the message.
 842. Themethod of claim 840 wherein whether the message is required to bedigitally signed, whether the digitally signed message is required to betransmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton whether the message contains one or more keywords, or combination ofkeywords, in a predetermined list of keywords.
 843. The method of claim840 wherein whether the message is required to be digitally signed,whether the digitally signed message is required to be transmittedwithout signature, whether it is recommended that the message bedigitally signed, or whether it is recommended that the digitally signedmessage be transmitted without signature, are dependent on the identityof the author of the outbound message.
 844. The method of claim 840wherein whether the digitally signed message is required to betransmitted without signature, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the type of digital certificate or signing key used to digitally signthe message.
 845. The method of claim 840 comprising determining whatdigital certificates, or signing keys, are available to digitally signan outbound message, and wherein whether the message is required to bedigitally signed, whether the digitally signed message is required to betransmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the type of certificate or signing key used to digitally sign themessage, and on the types of digital certificate or signing keyavailable to sign the message.
 846. The method of claim 840 comprisingcausing the outbound message that is to be forwarded to first bere-directed to a third party for approval, wherein if the third partygives his approval, the outbound message is forwarded to the originallyintended recipients in the normal way.
 847. The method of claim 840wherein said analysing step is performed at each of said one or moreworkstations.
 848. The method of claim 840 wherein said application is aweb browser.
 849. The method of claim 848 wherein said analysing step isperformed by a plug-in module of said web browser.
 850. The method ofclaim 849 wherein said web browser is Microsoft's Internet Explorer andsaid plug-in module is a Browser Helper Object.
 851. The method of claim840 wherein said application is an e-mail client.
 852. The method ofclaim 851 wherein said analysing step is performed by a plug-in moduleof said e-mail client.
 853. The method of claim 852 wherein said e-mailclient is Microsoft's Outlook e-mail client and said plug-in module is aMicrosoft Exchange client extension.
 854. The method of claim 840wherein said application is an Instant messaging application.
 855. Themethod of claim 854 wherein said analysing step is, performed by aplug-in of said Instant messaging application.
 856. The method of claim840 wherein said application is a Voice Messaging application.
 857. Themethod of claim 856 wherein said analysing step is performed by aplug-in of said Voice messaging application.
 858. The method of claim840 wherein said network includes a server and said analysing step isperformed at a point on said network intermediate said one or moreworkstations and said server, or is performed at said server.
 859. Amethod of managing information comprising the steps of: providing one ormore workstations adapted for connection to a computer network, eachworkstation having a memory; providing an application stored in saidmemory of each workstation for transmitting outbound data to saidnetwork and receiving inbound data from said network; providing policydata containing rules for determining one or more particulars of theoutbound data, and for controlling the transmission of said outbounddata in dependence on those particulars; and analysing, in conjunctionwith said policy data, said outbound data to determine one or moreparticulars of the outbound message; and controlling the transmission ofsaid data according to said policy data, and said one or moreparticulars.
 860. The method of claim 859 wherein comprising preventingoutbound data being transmitted to a web site on the Internet, if it isdetermined in the analysing step that the web site is in apre-determined list of prohibited web sites, and if it is determinedthat the outbound data contains one or more pre-determined keywords, orcombinations of keywords.
 861. A computer software product, forcontrolling a computer to manage information, said computer beingconnected to a network and having access to policy data containing rulesfor controlling transmission of outbound data to the network, comprisinga recording medium readable by the computer, having program coderecorded thereon which when executed on said computer configures thecomputer to: analyse, in conjunction with an application running on saidcomputer that is operable to transmit outbound messages to said networkand receive inbound messages from said network, said outbound messagesto determine in conjunction with said rules of said policy data one ormore particulars of said outbound message; and selectively re-direct theoutbound message to a third party instead of the originally intendedrecipient in dependence on said one or more particulars.
 862. Thecomputer software product of claim 861 wherein the program coded isoperable to re-direct the outbound message to said third party if themessage is to be sent to one or more of a pre-determined list ofrecipients or addresses.
 863. The computer software product of claim 861wherein said policy data comprises a list of names of company employeeswho can use said application to send outbound messages from and receiveinbound messages at a company address, and wherein the program code isoperable to re-direct the outbound message of any of said employees tosaid third party, if it determines that the intended address of theoutbound message contains one of a predetermined list of domain names,and if the intended address comprises at least one of the surname, firstnames, or initials of an employee in said list of names.
 864. Thecomputer software product of claim 861 wherein the program code isoperable to re-direct the outbound message to said third party if themessage contains one or more pre-determined keywords or combination ofkeywords.
 865. The computer software product of claim 861 wherein theprogram code is operable to re-direct the outbound message to said thirdparty if the message or attachments to the message are to be encryptedbefore transmission.
 866. The computer software product of claim 865wherein the program code is operable to re-direct the message with itsoriginal encryption key to the third party, and wherein means areprovided on the re-directed message, received by the third party for thethird party to approve the message for transmission to the originallyintended recipient and re-encrypt the message with the original key.867. The computer software product of claim 865 wherein the program codeis operable to add text to the message before it is re-directedindicating that it is a red-directed message.
 868. The computer softwareproduct of claim 861 wherein the program code is operable to re-directthe outbound message to said third party if the message or containsattachments, or particular types of attachments.
 869. The computersoftware product of claim 861 wherein the program code is operable tore-direct the outbound message to said third party if the messagecontains attachments and if the body or the subject of the messagecontains less than a pre-determined amount of text.
 870. The computersoftware product of claim 861 wherein the program code is operable tore-direct the outbound message to said third party in dependence on theidentity of the author of the message.
 871. The computer softwareproduct of claim 861 wherein means are provided on the re-directedmessage received by the third party for the third party to approve themessage for transmission to the originally intended recipient.
 872. Thecomputer product of claim 861 wherein said program code is executable ateach of said computers.
 873. The computer program product of claim 861wherein said application is a web browser.
 874. The computer programproduct of claim 873 wherein said program code when executed on saidcomputer is a plug-in module of said web browser.
 875. The computerprogram product of claim 874 wherein said web browser is Microsoft'sInternet Explorer and said plug-in module is a Browser Helper Object.876. The computer program product of claim 861 wherein said applicationis an e-mail client.
 877. The computer program product of claim 876wherein said program code when executed on said computer is a plug-inmodule of said e-mail client.
 878. The computer program product of claim877 wherein said e-mail client is Microsoft's Outlook e-mail client andsaid plug-in module is a Microsoft Exchange client extension.
 879. Thecomputer software product of claim 861 wherein said application is anInstant messaging application.
 880. The computer software product ofclaim 879 wherein said program code when executed on said computer is aplug-in of said Instant messaging application.
 881. The computersoftware product of claim 861 wherein said application is a VoiceMessaging application.
 882. The computer software product of claim 881wherein said program code when executed on said computer is a plug-in ofsaid Voice messaging application.
 883. The computer program product ofclaim 861 wherein said network includes a server and said program codeis executable at a point on said network intermediate said one or moreworkstations and said server, or said program code is executable at saidserver.
 884. A computer software product, for controlling a computer tomanage information, said computer being connected to a network andhaving access to policy data containing rules for controllingtransmission of outbound data to the network, comprising a recordingmedium readable by the computer, having program code recorded thereonwhich when executed on said computer configures the computer to:analyses in conjunction with an application running on said computerthat is operable to transmit outbound messages to said network andreceive inbound messages from said network, said outbound messages todetermine in conjunction with said rules of said policy data one or moreparticulars of said outbound message, and selectively prevent theoutbound message being forwarded to another recipient, or to issue awarning before a message is forwarded to another recipient, independence on the rules defined in said policy data.
 885. The computersoftware product of claim 884 wherein the policy data defines one ormore pre-determined keywords, and wherein if it is determined that themessage contains one or more of the pre-determined keywords orcombination of keywords, the message is prevented from being forwardedto another recipient or a warning is issued before the message isforwarded.
 886. The computer software product of claim 884 wherein theprogram code is operable to prevent a message being forwarded to one ormore of a pre-determined list of addresses, or to issue a warning beforeforwarding the message to one or more of the pre-determined list ofaddresses.
 887. The computer software product of claim 884 wherein theprogram code is operable to prevent a message being forwarded to anaddress outside a pre determined group of addresses, or to issue awarning before forwarding the message, if previously the message hasonly been transmitted among the pre-determined group of addresses. 888.The computer software product of claim 884 wherein the received messagehas a one or more attributes configurable by the sender of the message,one of those attributes being a “do-not-forward” attribute, and theprogram code is operable to prevent a received message being forwardedas an outbound message if the sender of the received message set the“do-not-forward” attribute.
 889. The computer software product of claim884 wherein the program code is operable to prevent forwarding of themessage, or to issue a warning before forwarding the message, if therecipient forwarding the message was the only recipient of the originalmessage.
 890. The computer software product of claim 884 wherein theprogram code is further operable to cause the outbound message that isto be forwarded to first be re-directed to a third party for approval,wherein if the third party gives his approval, the outbound message isforwarded to the originally intended recipients in the normal way. 891.The computer program product of claim 884 wherein said program code isexecutable at each of said computers.
 892. The computer program productof claim 884 wherein said application is a web browser.
 893. Thecomputer program product of claim 892 wherein said program code whenexecuted on said computer is a plug-in module of said web browser. 894.The computer program product of claim 893 wherein said web browser isMicrosoft's Internet Explorer and said plug-in module is a BrowserHelper Object.
 895. The computer program product of claim 884 whereinsaid application is an e-mail client.
 896. The computer program productof claim 895 wherein said program code when executed on said computer isa plug-in module of said e-mail client.
 897. The computer programproduct of claim 896 wherein said e-mail client is Microsoft's Outlooke-mail client and said plug-in module is a Microsoft Exchange clientextension.
 898. The computer software product of claim 884 wherein saidapplication is an Instant messaging application.
 899. The computersoftware product of claim 898 wherein said program code when executed onsaid computer is a plug-in of said Instant messaging application. 900.The computer software product of claim 884 wherein said application is aVoice Messaging application.
 901. The computer software product of claim900 wherein said program code when executed on said computer is aplug-in of said Voice messaging application.
 902. The computer programproduct of claim 884 wherein said network includes a server and saidprogram code is executable at a point on said network intermediate saidone or more workstations and said server, or said program code isexecutable at said server.
 903. A computer software product, forcontrolling a computer to manage information, said computer beingconnected to a network and having access to policy data containing rulesfor controlling transmission of outbound data to the network, comprisinga recording medium readable by the computer, having program coderecorded thereon which when executed on said computer configures thecomputer to: analyse, in conjunction with an application running on saidcomputer that is operable to transmit outbound messages to said networkand receive inbound messages from said network, said outbound messagesto determine in conjunction with said rules of said policy data one ormore particulars of said outbound message; and either selectivelyrequire that the outbound message be digitally signed beforetransmission, or that a digitally signed outbound message not bedigitally signed; or notify the sender of the outbound message thatdigitally signing is recommended, or that in the case of a digitallysigned message, digitally signing is not recommended.
 904. The computersoftware product of claim 903 wherein whether the message is required tobe digitally signed, whether the digitally signed message is required tohe transmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the intended recipient or address of the message.
 905. The computersoftware product of claim 903 wherein whether the message is required tobe digitally signed, whether the digitally signed message is required tobe transmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton whether the message contains one or more keywords, or combination ofkeywords, in a pre-determined list of keywords.
 906. The computersoftware product of claim 903 wherein whether the message is required tobe digitally signed, whether the digitally signed message is required tobe transmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the author of the outbound message.
 907. The computer softwareproduct of claim 903 wherein whether the digitally signed message isrequired to be transmitted without signature, or whether it isrecommended that the digitally signed message be transmitted withoutsignature, are dependent on the type of digital certificate or signingkey used to digitally sign the message.
 908. The computer softwareproduct of claim 903 wherein the program code is operable to determinewhat digital certificates, or signing keys, are available to digitallysign an outbound message, and wherein whether the message is required tobe digitally signed, whether the digitally signed message is required tobe transmitted without signature, whether it is recommended that themessage be digitally signed, or whether it is recommended that thedigitally signed message be transmitted without signature, are dependenton the type of certificate or signing key used to digitally sign themessage, and on the types of digital certificate or signing keyavailable to sign the message.
 909. The computer software product ofclaim 903 wherein the program code is further operable to cause theoutbound message that is to be forwarded to first be re-directed to athird party for approval, wherein if the third party gives his approval,the outbound message is forwarded to the originally intended recipientsin the normal way.
 910. The computer program product of claim 903wherein said program code is executable at each of said computers. 911.The computer program product of claim 903 wherein said application is aweb browser.
 912. The computer program product of claim 911 wherein saidprogram code when executed on said computer is a plug-in module of saidweb browser.
 913. The computer program product of claim 912 wherein saidweb browser is Microsoft's Internet Explorer and said plug-in module isa Browser Helper Object.
 914. The computer program product of claim 903wherein said application is an e-mail client.
 915. The computer programproduct of claim 914 wherein said program code when executed on saidcomputer is a plug-in module of said e-mail client.
 916. The computerprogram product of claim 915 wherein said e-mail client is Microsoft'sOutlook e-mail client and said plug-in module is a Microsoft Exchangeclient extension.
 917. The computer software product of claim 903wherein said application is an Instant messaging application.
 918. Thecomputer software product of claim 917 wherein said program code whenexecuted on said computer is a plug-in of said Instant messagingapplication.
 919. The computer software product of claim 903 whereinsaid application is a Voice Messaging application.
 920. The computersoftware product of claim 919 wherein said program code when executed onsaid computer is a plug-in of said Voice messaging application.
 921. Thecomputer program product of claim 903 wherein said network includes aserver and said program code is executable at a point on said networkintermediate said one or more workstations and said server, or saidprogram code is executable at said server.
 922. A computer softwareproduct, for controlling a computer to manage information, said computerbeing connected to a network and having access to policy data containingrules for controlling transmission of outbound data to the network,comprising a recording medium readable by the computer, having programcode recorded thereon which when executed on said computer configuresthe computer to: analyse, in conjunction with an application running onsaid computer that is operable to transmit outbound data to said networkand receive inbound data from said network, said outbound data todetermine in conjunction with said rules of said policy data one or moreparticulars of said outbound data; and control the transmission of saiddata according to said policy data and said one or more particulars ofsaid outbound message.
 923. The computer software product of claim 922wherein the program code is operable to prevent outbound data beingtransmitted to a web site on the Internet, if it determines that the website is in a pre-determined list of prohibited web sites, and if it isdetermined that the outbound data contains one or more pre-determinedkeywords, or combinations of keywords.